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CONTRACTOR REPORT 


LESSONS LEARNED IN ENGINEERING 


INTRODUCTION 

This report is a compilation of Lessons Learned in approximately 55 years of 
engineering experience by each, of James C. Blair, Robert S. Ryan and Luke Schutzenhofer. 
The lessons are the basis of a course on Lessons Learned that has been taught at the 
Marshall Space Flight Center. The lessons are drawn from NASA Space Projects and are 
characterized in terms of generic lessons learned from the project experience, which are 
further distilled into overarching principles that can be applied to future projects. 

Included are discussions of the overarching principles followed by a listing of the 
lessons associated with that principle. The Lesson with sub-lessons are stated along with a 
listing of the project problems the lesson Is drawn from, then each problem is illustrated and 
discussed with conclusions drawn in terms of Lessons Learned. The purpose of this report is 
to provide principles learned from past aerospace experience to help achieve greater 
success in future programs, and Identify application of these principles to space systems 
design. The problems experienced provide insight into the engineering process and are 
examples of the subtleties one experiences performing engineering design, manufacturing 
and operations. A CD of a class taught on this subject Is Included, providing the illustrations 
used in this report, along with other related material. 

How to avoid the mistakes of the past and how to train people In the essence of 
engineering are mandatory questions we face in aerospace engineering. Those who forget 
the lessons from the past are doomed to repeat them. Dr. Wernher von Braun has said that; 
“Crash programs fail because they are based on the theory that with nine women pregnant 
you can get a baby in a month.” Failure also occurs because we forget that physics rules and 
we try to bypass it in our designs. 

NASA and DOD have a great heritage in Space Systems programs that have been 
very successful; however, they are pushing the limits of technology in order to defeat gravity, 
survive extreme environments, and meet their programmatic goals. In pushing the limits, we 
have to take risks, and in taking risks we naturally have problems. 

The power density and the high efficiency requirements of space exploration lead to 
an unprecedented and challenging sensitivity of the system performance to the system 
parameters and their uncertainties, manufacturing practices, etc. which implies great risks 
and many potential problems. The experience we have had with these systems in the last six 
decades bears out these observations. NASA has lost astronauts three times, the first was 
the Apollo fire at KSC, the second was the loss of Challenger and its crew, and last the loss 
of Columbia and its crew. There are other failures that have led to loss of mission and many 



other problems that have had major program impacts. DOD and the commercial side of 
space exploration have experienced problems of the same general categories discussed. 

The goal of this report is to review the NASA programs, develop lessons learned, and 
from them derive basic principles that can be applied to future programs. While only those 
problems and systems worked on by the authors are included as examples, the lessons and 
principles are generic and can be applied in other technical and organizational arenas. The 
report concludes with a reiteration of the principles. 

NASA Programs 

We started out working with the Army Missile Command, on the Redstone and Jupiter 
missiles and their derivatives, which were eventually used in space exploration. The Saturn I 
was started as an Army project and then taken over by NASA. It was a vehicle that used 
current hardware and manufacturing processes in order to get an early heavy lift launch 
capability. The Saturn I first stage used the Jupiter manufacturing process and tank diameter 
for the center tank, and the Redstone tank diameter and manufacturing process for the 
clustered tanks. The first stage engines were H-Ts produced by Rocketdyne, and the upper 
stage engines were RL-10’s produced by Pratt & Whitney. After successfully launching the 
Saturn I vehicle we were transferred to the newly-formed NASA organization in 1960 and 
worked all the NASA programs including the potential new starts that did not materialize or 
were canceled before completion. Figure I-1 shows a partial list of the projects, and Figures I- 
1 , 1-2, 1-3 & 1-4 include pictures of some of the projects. Notice on Figure 1-1 that a sketch of 
the Russian vehicles and the DOD vehicles are included. We had some small efforts on 
these systems. Bibliography provides details if the reader wants to explore further the various 
projects and their characteristics. 


Basis of Lessons 



Figure M . Example Projects that Formed Basis of the Lessons 
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Figure 1-2. Example Projects that Formed Basis of the Lessons -cont’d. 
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Figure 1-3. Example Projects that Formed Basis of the Lessons - cont’d. 
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Figure 1-4. Example Projects that Formed Basis of the Lessons - cont’d. 

Lessons Learned Process 

The process used for developing and describing the “Lessons Learned” starts with the 
listing of various project experiences and problems from which we developed the lessons. 

We limited the projects and lessons to those that the authors had experience with. There are 
many other lessons in our collection which others have developed which are a rich source for 
the reader to explore. We next grouped the observations into generic and technical 
categories. We first subdivided the two categories into more definitive categories as shown 
on Figure 1-5. Under these categories the observations were then grouped as lessons derived 
from the observations. Top level principles of design and management were distilled from 
these lessons. 


Basis and Applicability of Lessons 

<■> From our experience, which has been primarily in technical integration 
and flight mechanics, we have derived lessons and distilled principles that 
are general in nature and apply across all engineering. 

<■> The general lessons and principles can be supported by examples from 
disciplines other than those of the authors’ experience. 
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<■> In addition to these general lessons, there are also discipline-specific and 
component-specific lessons that are not addressed in this course. They 
are available from other sources such as the NASA and Center Lessons 
Learned databases, Lunar e-Library (Materials Division), etc. 
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Figure 1-5. Lessons Learned Process 

The top level principles are listed below, with associated corollaries. Principle 1 
deals with the importance of people. Most of everything we do depends on the 
judgment and decision making skills of our people. People are the most important 
resource an organization has. In fact, all infrastructures exist as an aid to the human 
personality and mind. Principle 2 deals with how the challenge of putting systems in 
space drives everything, including all analysis and test and the project design. 
Principle 3 deals with the system interactions and the fact that all the parts are 
interacting elements of the system. Communications is a key to understanding this 
systems aspect of a project or program. Principle 4 Is fundamental In that everything 
is governed by the laws of physics. In a broad sense this also includes the basic 
principles of finance, organization, etc. Principle 5 deals with need for robustness and 
the understanding of sensitivities, uncertainties, risks and margins of the system. 
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Principle 6 says that we must design a product for its total life cycle, not just one 
phase. Principle 7 says that testing and verification are essential to developing a good 
product. Principle 8 deals with the need for critical thinking and having a culture that 
listens, thinks creatively and questions critically. Principle 9 goes back to the people 
and deals with the importance of leadership. Each of the principles will be discussed 
in more detail in the following sections of the report. 

Lessons Learned Principles 

I. System success depends on the creativity, judgment, and decision-making 
skiiis of the peopie 

- People are our most Important resource 

II. Space systems are challenging, high performance systems 

- High energy, high power density 

- Therefore, high sensitivity 

III. Everything acts as a system (whole) 

- We design by compartmentalization and reintegration 

- Understanding interfaces and interactions is crucial 

- Requires pervasive communications 

IV. The system is governed by the laws of physics 

- Reality can’t be ignored 

- Look to the real performance of the hardware and software 

V. Robust design is based on our understanding of sensitivities, uncertainties, 
and margins 

- Must consider sensitivities, uncertainties, margins, risks 

- Aim for robustness 

VI. Project success is determined by life cycle considerations 

- Program constraints can result in a non-optimal design 

- Requirements can drive the design in unexpected ways 

- Early phases of project most influential on design 

- Design must consider full life cycle including 
manufacturing, verification, and operations 

VII. Testing and verification have an essential role in development 

- We understand by testing 

- Must know limitations 

VIII. Anticipating and surfacing problems must be encouraged 

- Critical thinking 

- Think out of the box 

- Listen 

IX. Leadership is the foundation 

- Integrity 

- Outward focused 

- People centered 
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Another way of visualizing the lessons is shown Figure 1-6 as a triad of Insights, 
Integration, and Individuals. Insights deal with principles, physics of the problem, 
critical thinking, creativity and discoveries. Integration deals with the system and 
subsystems, their uncertainties, sensitivities and trades, while the Individuals leg deals 
with leadership, people skills, communications etc. Only representative items are 
included. Insights are the basic principles that we see from the lessons and the 
discoveries they reveal. Individuals involve the individual skills and organizational 
characteristics. Integration covers the complex interactions which occur within 
complicated space systems and the process of making the total system perform 
successfully. 


INSIGHTS 


Systems 

Subsystems 

Technical 

- Uncertainties 

- Sensitivities 
-Trades 


INTEGRATION 



Principles 
Physics of Problem 
Critical Thinking 
Creativity / 

Innovation 

Discoveries 


INDIVIDUALS 


People 

Leadership 

Skills 

Knowledge 

Teaming 

Communications 


Figure 1-6. A Triad of Principles and Lessons Concepts 

We have grouped the twenty-seven Lessons Learned under the nine Principles 
discussed earlier. The Principles and the Lessons grouping becomes the outline for 
discussion for the rest of the report as shown below. 

Listing of Principies with Supporting Lessons 

I. System success depends on the creativity, judgment, and 
decision-making skills of the people 

1 . People Are the Prime Resource for Project Success 

2. People Skills are Mandatory for Achieving Successful Products 
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II. Space systems are challenging, high performance systems 

3. Demand for High Performance Leads to High Power Densities 

and High Sensitivities 

III. Everything acts as a system (whole) 

4. Systems and Technical Integration 

5. Risk Management 

6. Ali Design is a Paradox, a Balancing Act 

IV. The system is governed by the laws of physics 

7. Physics of the Problems Reigns Supreme 

8. Engineering is a Logical Thought Process 

9. Mathematics Is The Same! 

10. Fundamentals of Launch Vehicle Design 

V. Robust design is based on our understanding of sensitivities, 

uncertainties, and margins 

1 1 . Robustness 

12. Understanding Sensitivities and Uncertainties is Mandatory 

13. Margins Must Be Adequate 

VI. Project success is determined by life cycle considerations 

14. Design Space Constrained by Where You Are in the Life Cycle 

15. Concept Selection and Design Process 

16. Requirements Drive the Design 

1 7. Designing for the -ilities and Cost 

VII. Testing and verification have an essential role in development 

1 8. Hardware and Data Have the Answers 

19. Can Test Now or You Will Test Later 

20. Independent Analysis, Test, and Design Keys to Success 

21 . All Analyses and Tests are Limited 

22. Scaiing is a Major Issue 

VIII. Anticipating and surfacing problems must be encouraged 

23. Must Hear and Understand All Technical and Programmatic Opinion 

24. There are No Small Changes! 

25. Expect the Unexpected 

IX. Leadership is the foundation 

26. Integrity 

27. Focus Beyond Yourself 
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Discussion of Lessons Learned Principles 


In the following sections we will divide the report by the Principles shown above. For 
each Principle, there will first be a discussion of the principle category in general, followed by 
a listing of the lessons supporting that principle, along with sub-categories of the lesson. 
Included will be a listing of the various problems/projects used to create the lesson. The 
format will be: The lesson with corollaries is stated along with a listing of the project problems 
the lesson is drawn from, then each problem is illustrated and discussed with conclusions 
drawn in terms of Lessons Learned. 


Principle I: System Success Depends on the Creativity, 
Judgment, and Decision-Making Skills of the People 

1 . People Are the Prime Resource for Project Success 

2. People Skills are Mandatory for Achieving Successfui Products 

What we have found is that of all the resources and skills required for project success, 
people are number one; everything else comes in second. We will discuss this category 
under the above two lessons: 


Lesson 1 : People Are the Prime Resource for Project Success 

® People are the prime resource. Engineer's judgment and creativity are the key to 
quality engineering. All other resources are an aid to the human mind. 

Eii The complexity of the system requires applying judgment and innovation 
to the specific situation. Dogma, ruies, or recipe cannot suppiant this. 

Eii Tools enhance efficiency, but cannot replace judgment and creativity of 
the human mind. 

Eii Guidelines and criteria should be tailored or adapted to the particular 
project, to avoid a dogmatic approach, which unnecessariiy constrains 
design soiutions. 

E'3 Many decision gates are not explicit, but are judgment based, requiring in- 
depth system knowiedge and wisdom. 

E'3 The ievel of penetration is an engineering judgment, determined by 
project characteristics, phase, sensitivity, and uncertainty. 

E'3 Reward aii expressions of creativity. 
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The sub-topics of the general lesson that people are the prime resource state clearly that 
we cannot just depend on process and procedures to obtain a successful product; but, that 
the complexity of our space systems depends on the judgment and innovation of the people 
of the organization to create, build and manage a successful system. Dogma and rules, 
although they can guide and are necessary, can never replace this judgment and creativity of 
the human mind. In the end the human mind trumps. The same can be said of tools. We 
need process, procedures, criteria and guidelines but they should never be used to replace 
the creativity and the human judgment. We use these tools to aid in decision making but in 
the end most decisions are human judgments based on wisdom and understanding. One of 
the big questions design and operations of space systems raises continually is “When is 
enough good enough for the system.” Our tendency is to be risk aversive and add detail way 
beyond what is good enough. Human judgment and creativity should be applied in all aspects 
of space operations. The organization should reward all expressions of creativity of its people 
and not have an organization governed by fear of failure. 

The complex technical and managerial problems we face depend on human judgment, 
creativity, and innovation for solutions. All our other tools are aids for the human mind in the 
performance of these tasks. Our job then is to bring out and develop these human resources. 
There are many examples that illustrate the value of human resources and how they have 
been rewarded. This creativity exists in many forms as illustrated next. The basic lesson is 
that we must reward all forms of creative actions of our people and start development of 
processes to remove inhibitors which suppress the creative actions of its people. 

Creativity exists in several forms. 

1 . Technical expression 

2. Artistic expression 

3. Naming of hardware parts 

4. Musical expression 

Reward all forms of creativity expressed by the people. 


Examples for Lesson 1 are: 

• Rich Holman 

• Honeywell Calendars 

• Jupiter Propellant Sloshing Solution. "Beer Cans" 

• Synthetic Wind Profile 

• SSME LOX Pump Silicon Nitride Bearings 

• Tethered Satellite Skip Rope Damper 


Rich Holman 

In the early Apollo days there was an engineer. Rich Holman, at McDonnell Douglas 
who drew cartoons of the Saturn IV B problems and the personalities involved in the 
problems. McDonnell Douglas thought the value of the cartoons was so great that they 
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published a selected group in a little booklet titled “Nicely Drawn by Rich Holman”. [Holman, 
Special document] We have selected two of these to illustrate the content and value. Figure 
1-1 deals with a problem we had with the dynamic response of the engine gimbaling 
actuators. The actuators were coupling dynamically with the thrust structure creating an 
undesirable high response, which compromised the controllability of the vehicle. Rich 
summed up the physics of the problem by saying that it only hurts at resonance. The people 
involved that were not convinced were the recipients of the statement. The name of 
Eggleston on the badge is one of the SIVB Stage Program managers that were having 
trouble accepting the existence of the problem. Rich’s cartoons not only dealt with the 
physics of the problems but the human involvement as well. Figure 1-2 had to do with a 
control feedback potentiometer that was giving a problem. Getting rid of the potentiometer 
required the addition of additional elements that increased the complexity of the system. In 
those days the potentiometer was a series wound coil which the wiper arm moved across to 
create the signal. Each time the wiper arm encountered the next winding of the coil, the 
signal would jump in amplitude, creating a series of frequency pulses. The frequency of the 
pulses was introduced by the speed the arm was moving. This series of pulses was creating 
a dynamic problem. The quote; “But it does get rid of the feedback pot”, sums up the 
principle, that adding complexity creates additional problems. The cartoon illustrates this by 
the number and complex arrangement of parts in the base region of the SIV B Stage. 



Figure 1-1. It Only Hurts At Resonance 
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Figure 1-2. But It Does Get Rid of That Feedback Pot 
Honeyweii Calendars 

In this same time period Honeywell Corporation put out calendars with cartoons drawn 
by Bill Eddy that were of the same character as was Rich’s. The cartoons were published by 
Minneapolis Honeywell in two books [Eddy, 1956] and [Eddy, 1962]. We have chosen three 
of these monthly calendar cartoons: Figure 1 -3 is one of our favorites which illustrates that all 
details are important. It shows the importance understanding any anomaly before proceeding; 
as the bridge that doesn’t connect because of the design error of a decimal point. Figure 1 -4 
shows the importance of capturing early and controlling requirements versus letting 
requirements grow and change uncontrolled. Space programs have been replete with large 
cost growth due to changing requirements. Figure 1-5 deals with the Alaskan oil pipeline 
where they were painting it from different ends and when they met the colors where different. 
(Not an actual happening) It illustrates the concept that one must stay with the specifications 
and requirements or push back on the system so that the design is consistent. 
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Figure 1-3. So That Decimal Point Indeed Was A Fly Speck 



Figure 1-4. Changing Requirements 
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Figure 1-5. What Change in What Specifications? 


Jupiter Propellant Sloshing Solution. "Beer Cans" 

We lost the first Jupiter missile due to an engine plume recirculation problem burning 
the actuator control wires. The second Jupiter launch was lost due to propellant sloshing 
dynamics coupling with the control system. [Ryan, September 1996; Abramson, SP-106, 
1967; Abramson, SP-8031 , 1969].The control system was saturated and vehicle control was 
lost at max q. The first problem was fixed with the installation of a heat shield where the gas 
generator exhaust was dumped overboard; however the second problem required more work 
and engineering creativity. No analytical models existed for characterizing the dynamics of 
liquids in a tank, and this type of experimentation was an emerging technology. The problem 
became the instigator for a long term analytical and experimental technology development. 
Helmut Bauer at NASA and Norm Abramson at Southwest Research Institute were the 
leaders in this effort. [Bauer, 1964] However, this effort was downstream and we needed a 
quick solution so that Jupiter 3 could be launched on time. We took the Jupiter LOX tank and 
put it on an empty railroad car and filled It with water. We then bumped the railroad car 
against the spur railroad stop, exciting the liquid dynamics. A movie camera recorded the 
motion and we were able to derive an equivalent slosh mass and frequency to be used In a 
control feedback simulation. The question then was: “What is a fix for the problem?” so that 
we could launch the next vehicle. Someone said that when they were back on the farm and 
had to haul water in steel drums in a wagon, that they floated pieces of lumber on the surface 
to keep it from sloshing. Well, lumber would not work in a missile, but floating something 
would. The original design was a perforated cylinder truncated with cones and had a 
commode float inside to make it float. The entire surface was filled with these devices called 
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beer cans. We then put these in the tank on the railroad car and demonstrated that they 
would indeed suppress the sloshing. They were eventually flown on Jupiter. See Figure 1-6. 

Later, through analysis and sub-scale testing, we developed the baffle approach 
making the perforated baffles a part of the ring stiffeners. See Figure 1-7. This approach was 
used on Saturn and saved weight by having the baffles also perform part of the stiffening 
required to prevent tank buckling etc. Shuttle used baffles attached to an inter-frame instead 
of the ring frames due to manufacturing and operational requirements. 



Figure 1-6. “Beer Cans” Flown on Early Jupiters 
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Later Jupiter With Srosh Baffles 


Figure 1-7. Later Jupiter Configuration with Slosh Baffles 
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Synthetic Wind Profiie 

Early in Saturn development, we were challenged with the problem of representing the 
atmospheric wind characteristics in a manner that would allow 6-degree of freedom control 
and vehicle dynamic simulations to provide time consistent 3-sigma response data for 
structural design. Two creative ideas were required to meet this goal. The first involved a way 
of taking each single parameter 3 sigma run of the 6-DOF response run and comparing it to a 
nominal run, extracting the differences for each response parameter. These deltas were then 
root-sum-squared (RSS’d) and added to the nominal, producing the 3-sigma design values. 
The problem was that this discrete value was needed in combination with all other 
parameters in the time consistent manner in order to have a balanced load set. Jud 
Lovingood came up with a way of taking the 3-sigma deltas and ratioing them with the 
nominal to generate a ratio for the input parameters, which then provided a 3-sigma time 
consistent response. [Lovingood, J.A. 1964] In addition we needed a way of having the wind 
characteristics modeled in a time consistent manner for a forcing function for the 6-DOF 
simulation. Helmut Horn, Jim Socggins, Bill Vaughn and Robert Ryan came up with the 
synthetic profile based on a 95% wind speed and RSS’d 99% wind shear and square waved 
wind gust. See Figure 1-8. This was used very successfully in the early design of Saturn. 
[Geissler, E.D. et.al.1970] The need arose to have a more realistic representation of the wind 
shear and gust, so a monthly set of detailed measurements were measured over a few years 
timeframe, that had the wind gust and shears correct to 50 meter lengths. Using these 
detailed Jimsphere wind profiles a Monte Carlo approach was used to verify that 
accelerometer feedback load relief was not effective. As a result Saturn V flew without load 
relief. (See Lesson 6) [Ryan,R.S. January 20-23,1969; Geissler, E.D. et.al. 1970] Since then 
a vector wind model and the Global Reference Atmosphere Model (GRAM) wind model have 
been developed for use in Shuttle and new programs. 



Figure 1-8. Synthetic and Measured Wind Profile Approach 
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The need for and the application of this approach is summarized as: 

• Control and Loads response analysis requires time-consistent data. 

• Question: How do I generate this time-consistent data from a root-sum-squared (RSS) 
peak value from perturbated individual response runs? 

• The A-Factor approach ratios the individual perturbated peak values to the RSS’d 
value, to obtain parameter scaling factors, which will produce a time consistent run 
with the peak value matching the RSS’d. This produces a time-consistent data set for 
all response variables at a 1 -sigma level 


SSME LOX Pump Silicon Nitride Bearings 

During Space Shuttle operational flights, liquid oxygen (LOX) pump bearings were a 
major problem, as were other elements such as turbine blades and welds. Bearings would 
wear out very quickly and along with other problems led to a requirement to refurbish the 
pumps after every one or two flights. Alternate turbopumps were proposed as a solution to 
these problems. The development of the alternate LOX turbopump was having major issues 
with the pump end bearings in that they would overheat and wear out in the first 50 seconds 
of run time. This problem was threatening continuation of the program, and needed a quick 
solution. A team was formed to find a solution to the problem. They tried everything with 
nothing working. Prior to this team’s formation a MSFC engineer Dr. Robert Thom, was 
thinking out of the box and came up with use of Silicon Nitride (SiNi) ball bearings and had a 
technology program in place to test the bearings in a bearing tester. The team was near the 
deadline of program cancelation unless a solution was found, when we decided to try the new 
SiNi balls. [Gibson, Jannaf-1354] Silicon Nitride is a ceramic material. A manager of Pratt & 
Whitney was reluctant to try them and had said no one would put glass balls in his pump. A 
Pratt engineer took him into the shop and put a new ball bearing in a nylon sack and had him 
hit it with a large sledge hammer. The anvil and the hammer were dented, but the ball had no 
fracture under microscope inspection. As a result we started testing the balls in a pump and 
surprisingly there was no wear of the balls or the race. The results have been that pumps can 
fly 20 times with no bearing wear. See Figure 1 -9. Currently, all space shuttle turbopumps 
have these SiNi bearings. 
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ATD-HIGH PRESSURE OXIDIZER TURBOPUMP 



Damper seal 
Inducer cavitation 


PEBB deadband 
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preload 


Balance piston dynamics 
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Figure 1-9. Alternate SSME LOX Pump with Siiicon Nitride Bail Bearings 


Tethered Sateiiite Skip Rope Damper 

Tethered satellites have many technical features that are desirable. The can be used 
for power sources, orbit changes etc. However, implementing a Tethered Satellite had major 
design problems. As the satellite was deployed on a tether, the tether would set up dynamic 
oscillations (skip rope), which in the end could destroy the system. A team was formed to 
solve the problem through analysis and test. It was clear that some means of damping the 
oscillations was required. The approach was to install a damping system in the tether output 
ferrule using negator springs. As the tether dynamically moved, the dampers on the end of 
the cable attached to the eye through which the tether was deployed would move with the 
dynamic motion, thus damping the skip rope. After much testing the system was verified and 
flew very successfully on the first tether flight. See Figures 1 -1 0 through 1 -1 2 for details. 
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T3S Satellite Deployment Scenario 
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Figure 1-10. Tether Deployment Scenario 
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Figure 1-11. Tether Skip rope Characteristics 
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• Tether skip-rope was 
stabilized using an 
innovative damper 
mechanism. 

• The dampers were 
on the ends of motor 
cables attached to a 
floating ring through 
which the tether 
passed. 


Figure 1-12. Tether Skip Rope Damper 

What we have illustrated with these examples is how innovation and creativity of the 
human mind has resulted in the solution to very complex problems. It is mandatory that the 
individual and the organization be provided the opportunity for the free expression of this 
creativity and employ both means for its development and rewards for its expression. 
fMowery, D.M.,et.al.,1993] 

<-> A key message from Lesson 1 : 

Reward Judgment and Creativity. 

Dogma, rates, and recipes stifie Criticai Thinking 


Lesson 2. People Skills Are Mandatory For Achieving 

Successful Products 

® Atthough engineering skitts are essentiat, peopie skitts are mandatory for 
achieving successful products. 

Eii Choose a strong leader with decision making capability who listens and 
encourages everybody to integrate. 

Eii Organization is the tool to accomplish the job; must provide leadership 
and motivation. 

Eii Encourage engineers to enhance their cooperative interactive skills as 
well as their technical skills. 

E'3 Train engineers to be specialists with a system focus. 

E'3 Reward specialists to participate in integration activities in order to 
formulate a world view of the total system. 

E'3 Provide an open environment, which encourages innovation and 
stimulates communication. 
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Since people are the prime resource in achieving project success, engineering skills 
are essential. However, that is not enough; people skills are mandatory for achieving 
success. There are a number of people skills, but the focus here will be on nurturing skills 
and developing skills associated with individual and organizational growth. 

Nurturing skills requires strong leaders who can make correct judgments and 
decisions. They encourage everyone to interact and integrate (system focus), while keeping 
in the forefront the importance of technical skills. Leaders are mentors, teachers, and role 
models for technical integration and systems engineering. In those capacities, they advocate 
their views while inquiring the views of their reports. Everyone knows the leader’s goal is the 
search for the best balanced design, technical solution, or truth, all with a system focus. 

They demonstrate the nurturing process through example while providing an open 
environment where innovation and communication are encouraged and the fear of failure is 
minimized. These leaders inspire and motivate everyone to accomplish their goals with 
passion. 

An important aspect of people skills has to do with providing people a means for 
achieving personal and organizational growth. There are numerous subjects associated with 
individual and organizational growth. The select list below represents some that have been 
found to be beneficial. Each will be discussed briefly and references provided for further 
understanding. 

Characteristics of Individual and Organizational Growth 

A. The Principle of Attitude 

B. Tree of Life 

C. Senses Involvement 

D. Aperiodic Reinforcement 

E. Hierarchy of Needs 

F. Law of Readiness 

G. Must Lose to Gain 

H. Expectancy Theory (Pygmalion Effect) 

I. Follow-up and Feedback 

J. Role Modeling 

K. Guidance and Control Theory 

L. Communication 


A. The Principle of Attitude 

The mind is one of the keys to growth. A person’s attitude is the fuel of growth. 
Whitmore shows an interrelationship between the attitude of the mind, knowledge (technique) 
and experience (fitness). [Whitmore, 1997] Figure 2-1 . The openness of the mind influences 
how our attitude changes, what we acquire, and the experience we achieve. Knowledge has 
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to do with the technique of the job while experience relates to the fitness to accomplish the 
job. If we think we have all the answers, we are not open to new knowledge or experience. 
Hunger for growth is important, as is humility. Humility means that we are trainable. 

Closely related to the principle of attitude is The Law of the Mind. “Whatsoever a man 
thinketh, so is he.” Earl Nightingale said it like this: “Whatsoever a person indelibly 
impresses on the mind will one day be expressed.” He said that, “The mind will marshall the 
resources required to accomplish the goal.” [Nightingale, 1990, 1997] Some have said that if 
it can’t be done ethically, then it will be accomplished unethically. There is a warning implied: 
“Be careful what you impress on the mind.” 


Attitude of Mind 



(Technique) (Fitness) 


“Coaching for Performance” by John Whitmore 


Figure 2-1 . Principles of Attitude 


B. Tree of Life 

In all stages of our lives we have various diverse roles to accomplish. For the most 
part, this creates conflict because: 1 . there are many; 2. they can be intense; 3. they can 
be time consuming: and 4. they can be conflicting. As a consequence, major frustration 
can be experienced. There is a need to identify and understand all our roles and then 
determine how to deal with them. [Covey et. al., 1994], provides some insights by relating 
our principles, mission, and roles to a tree, thus “Tree of Life.” Figure 2-2 is an adaptation 
from Covey. 
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Roles must be balanced 



Roles 


Interrelated 

Activities 


Missions 


Mission 


Personal 

Professional 


Principles 


Spiritual 

Cultural 

Educational 


Roles 

Branches Grow out of trunk 
Roles grow out of Mission 
Channels of activities by which 
we love, learn, live, and 
leave a legacy 


Principles 

Roots 

Give sustenance and life 


Balance means all parts working synergistically in a highly interrelated whole 
Balance isn’t “either/or” i it’s “and” 

Figure 2-2. Tree of Life 

When we look at the Tree of Life we see a growing life form that is strong, healthy, 
colorful, and pleasant to look at. The main elements of the tree are the roots, trunk, and the 
branches. The roots provide the necessary sustenance while the trunk fulfills the needs of the 
branches, I.e., food and strength. The branches grow out of the trunk. They provide 
nourishment for the system and aesthetic value. Each of these elements have specific 
functions, but for the tree to attain its strength and beauty these elements must work together 
to achieve balance. Balance is achieved when all parts work together achieving synergism to 
accomplish the strength and beauty of the highly interrelated whole tree. 

The diversity of our roles at various stages of our lives can create conflict and frustration. If 
we make a comparison between key aspects of our lives and the tree of life, there are 
similarities that are helpful. For Instance, see Figure 2-2. In this figure we have principles, 
missions, and roles. These are analogous to the elements of roots, trunk, and branches of 
the tree. The principles in our lives are spiritual, cultural, and educational. They are the 
foundations upon which we set achievable goals, determine our paths, and make decisions. 
Our mission in life is mainly related to the personal and professional life style and occupation 
we choose. Our mission determines the roles that we have to carry-out for our missions to 
be successful. When we consider our personal and professional roles there can be 
considerable diversity that can lead to frustration. There is a demand for our time, capability, 
participation in number of activities, complications, etc. To complicate matters, as we were 
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growing-up into adulthood, we learned to compartmentalize our activities;” I’ll either do this or 
that.” In consideration of the number of roles we have, if we continue to compartmentalize 
our roles it will lead to pain in personal relationships and retard personal growth. Like the 
“Tree”, our roles are parts of a highly inter-related whole where balance is needed. Recall, 
balance in the tree is achieved when all parts work together. Our roles appear conflicting and 
unrelated because we have not figured out how to make everything work together. Balance 
is not “I’ll either do this or do that.” We will see that balance means “I’ll do it all.” 

Our initial look will focus on how to achieve balance in executing the activities 
associated with our roles. At first when all the roles are considered, it may look like an 
insurmountable monumental time consuming effort that no one could accomplish. In fact, it 
turns out that most of our roles are “parts of an interrelated whole that work synergistically”. 
After it is understood how the various roles play together and how they can be conditioned, 
our attitude relating to dealing with them will change and there will be a reduction in 
frustration. Instead of fighting the notion of all the “things” that must be done “now”, accept it 
as a challenge. For instance, “my hobby will be conquering my roles.” I’ll interact with all 
those close to me, i.e.. I’ll let them know I have accepted the challenge and invite them to 
participate. They are now partners with me in my new hobby. Then as part of the challenge, 
put things in an appropriate perspective. Firstly, consider the time it takes to accomplish an 
activity. Sometimes deadlines are levied without any notion whatsoever regarding how long 
an activity will actually take. Also, if there is a real short- fuse deadline, make sure it is 
understood that the results will be a short-fuse result. Occasionally, everything can be 
dropped for a better than short-fuse result, but all of our activities can’t run in the short-fuse 
timeline mode. Thus, the timeline of our activities must be understood and balanced. 
Secondly, consider the magnitude of the activities. Could it be that we can’t tell what is 
important (big rocks) and what is not (sand pebbles)? When a set of activities is initiated, it 
might be difficult to determine what’s important. The sensitivity of the outcome to the various 
activities has to be determined, i.e. what are the consequences of not doing a specific activity 
or reducing the level of effort. After the big rock activities are determined, what is their 
sequence? Thus the balance of the effort of the activities is determined. Now the important 
activities and their timelines are known and balanced. 

At this point it will be observed that our hobby has activities where parts fit together 
into an interrelated whole that work synergistically. Now instead of doing this or that in a 
piecemeal frustrated fashion, all the balanced activities are being accomplished in a 
harmonious commanding fashion. I have taken charge of my roles! 


C. Senses Involvement 

When Bob Ryan was studying education, one professor emphasized the principle, 

“The more senses you involve in the experience, the greater the learning retention.” (Touch, 
sight, sound, taste, and smell). Our experience in engineering has verified this principle. 
Engineers that see, touch, test as well as analyze hardware, in order to understand 
engineering design better, will produce better products. Learning and understanding is further 
enhanced if they have struck a weld, cut a line, made a dove tail joint etc. As a result we 
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worked hard to have our engineers in the plants where the hardware was being produced, 
tested etc. Ferguson at MIT recognized this, discussing it in great detail, emphasizing that 
educational Institutions must change their approach to teaching engineering, getting the 
students to where the hardware is being produced. [Ferguson, 1992] 

D. Aperiodic Reinforcement 

Aperiodic reinforcement, developed by Skinner and Watson, says that the learning 
retention is proportional to the lack of periodicity of the reinforcement. If the reward is given 
after every successful attempt the learning retention is short. If the reward is aperiodic, the 
knowledge of when the reward comes is unknown, hence the learner works harder for the 
reward and the learning retention is greater. Aperiodic reinforcement is a powerful tool in 
developing skills/ behavior. The lesson is clear, reward the effort but do so on an aperiodic 
basis for best results. [Skinner, 1972] 

E. Hierarchy Of Needs 

Understanding and fulfilling our needs are necessary elements that can improve motivation. 
The associated knowledge can be acquired by understanding Maslow’s hierarchy of needs 
as is shown in Figure 2-3. 


Fulfillment of Needs Motivates People 


i Define/clarify roles, 
goals, & values 


& enhance self-esteem 
I Listen actively & 


■ Recognize, maintain. 


Hierarchy of needs 


i Provide development 
opportunities 


respond with empathy 
I Ask for help, and 



■ Provide coaching 


Self 


Celebrate, recognize & 
reward 


encourage involvement 


Actualiza 
y Needs 
Self-Esteem 



I Share thoughts, 
feelings & rational 



i Promote communication 
& trust (share info) 


■ Offer support without 
removing responsibility 


Belonging Needs 


Safety Needs 


\ 

Physiological Needs 



Maslow’s Hierarchy of Needs Pyramid 


Fig 2-3. Maslow’s Hierarchy 
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Dr. Abraham Maslow was born April 1 , 1908 and died June 8, 1970, [Boeree, 2006] 
His contributions were primarily related to human behavior and motivation. In one of his early 
publications he conceptualized his basic theory where he delineated fundamental needs of 
man [Maslow, 1943]. Then in 1954 those needs were visualized in a hierarchy as shown 
above where the lower four needs are deficiency needs and the top need is a growth need 
[Maslow, 1954]. Within the deficiency needs, the lower level needs must be satisfied before 
going to the next level. If one of the deficiency needs is removed at some later time (I have 
no food), then we will act to relieve the deficiency (I have food). 

In the years that followed, Maslow determined that there were additional growth needs 
[Maslow, 1971] and [Maslow and Lowery, 1998]. Thus, the hierarchy was expanded. While 
the expanded hierarchy is not shown in the figure, insight is provided below for 
understanding. The expanded list that follows is a summary of all of Maslow’s needs in 
ascending order. 

Deficiency Needs: 

1 . Physiological: food, water, bodily comforts, ... 

2. Safety: out of harm’s way, ... 

3. Belonging: family, friends, ... 

4. Self-esteem: self-respect, respect of others, competent, ... 

Growth Needs 

5. Cognitive: knowledge, understanding, searching, ... 

6. Aesthetic: symmetry, order, beauty, ... 

7. Self-actualization: to be the best we can be, ... 

8. Self-transcendence: help others realize their potential 

Despite the fact that there is no scientific evidence to support Maslow’s hierarchy, it is 
widely accepted based on anecdotal evidence. Further understanding of Maslow’s 
conceptualization of human behavior and motivation can be found in [Boeree, 2006] and 
[Huitt, 2004]. While numerous insights can be investigated relating to human behavior and 
motivation, the focus will now be on self-esteem and self-actualization. 

Self-esteem can be thought of as one’s overall self-appraisal of their worth. It 
encompasses both beliefs and emotions and is reflected in behavior. In addition, it enables 
us to face the challenges in life and feel worthy of happiness. Maslow believed that we need 
the respect of others as well as self-respect. There are numerous activities that can be done 
to enhance self-esteem. Shown below is a short list which can be incorporated into our daily 
interactions with others. 

1 . Recognize, maintain, and enhance self-esteem 

- learn how to do it; show others by example 

2. Listen actively and respond with empathy 

- I’m interested in what you have to say 

3. Ask for help and encourage involvement 

- delegate instead of control; seek advice 
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4. Share thoughts, feelings, and rational 

- this is what I think; what do you think 

5. Offer support without removing responsibility 

- help others achieve their goals; but, don’t do it for them 

In addition to the above, consider the following: spiritual activities, exercise, praising, 
achieving goals, dress style, integrity, generosity, good work ethics, education, being 
courteous, and so on. 

Self-actualization is the desire for self-fulfillment; to strive to become actualized In what 
I am potentially, i.e., to become everything that I’m capable of becoming. In order for one to 
achieve their potential, time must be taken to understand one’s self. Then take the 
appropriate actions to achieve your potential. 

In learning organizations, provisions are in place to encourage personal growth. Listed 
below are some limited examples relating to what a learning organization should provide. 

1 . Define and clarify roles, goals, and values 

2. Provide development opportunities 

3. Provide coaching 

4. Celebrate, recognize, and reward 

5. Promote communication and trust (share information) 

Delineated above are some ideas relating to understanding and fulfilling needs. These 
ideas are a snapshot aimed at providing an eye opener to achieve a highly motivated life 
style. Since everyone is different, each must find their own tailored needs. What are yours? 

F. Law of Readiness 

“The Law of Readiness’’ is essential to understand how individuals and organizations 
grow. [Thorndike, 1912] In essence it takes the meshing of the physical, the emotional, and 
the Intellectual to create readiness. Until the blending occurs performance is not up to par. 
When they mesh performance is high and graceful. It takes time (patience), and experience 
(practice) to achieve readiness. When it happens it is obvious. You don’t give up easily on 
people. Provide time for the “law of Readiness” to work. When coaching the 1955 Alabama 
Class “A” Basketball Championship Team Robert Ryan had a 6’7” center who was key to 
winning. John had a habit of rebounding the ball and then pulling it down to dribble or pass. 

We set up practice drills having him push the ball back to the goal or pass It out. Finally Ryan 
put a block over the goal so that the ball would bounce out for him to push back. After several 
weeks of this drill, Ryan was losing patience. John had no confidence and he couldn’t get the 
hang of the principle. We worked one Friday and no progress was evident. Monday John 
came to practice performing the task with ease. Never again did he have to be reminded of 
the principle. Readiness works that way. Most of the time readiness appears to occur 
practically Instantaneously but is built over a period of time. The authors have seen it work in 
areas of engineering, where all of a sudden everything fits. The process repeats as new skills 
are added. 
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G. Must Lose to Gain 


Another principle of development, “Must Lose to Gain” is fundamental to growth. 

Figure 2-4 illustrates the principle using the trapeze artist. Growth implies first having a place of 
security from which to take off from. In this place one has social acceptance, equilibrium, control 
of one’s domain, good feelings, calmness, and status. To grow means turning lose and floating 
in uncertainty while reaching for the new. This turning loose is a leap of faith based on a 
challenge, encompassed with vulnerability, falling, and other undesirable risks. Leadership and 
management have the role of providing a safety net in case the employee falls so that they are 
not destroyed. Grasping the challenge means surrendering abilities, status, techniques, awards, 
becoming a nonconformist, many times risking financial security. A more disciplined life is 
implied along with commitment. In the end comes recognition, adventure, growth, power, but 
more importantly fulfillment. Growth always is anchored in choice; therefore “To grow means 
loss, and loss means mourning, so that newness can come in.” 


MUST LOSE TO GAIN: TRAPEZE OF GROWTH 


T'RIO'R TLJS.CE £JAJ^T> TLJACXS TILTUHT TLJACT 



* SECURITY 

* SOCIAL ACCEPTANCE 

* EQUILIBRIUM 

* KINGDOM BUILDING 

* COMFORT 

* NO ANXIETIES 

* STATUS 


•SURRENDINGTECHNIQUES 

•NONCONFORMISTS 




• FEAR & ANXIETY 

• UNCERTAINITY/AMBIGUITY 

• SURRENDERING ABILITIES 
•SURRENDING STATUS 

• RISK FINANCIALSECURITY 

• VULNERABILITY , FALLING & RISK 


* MORE DISCIPLINED LIFE 

* COMMITMENT 

* RECOGNITION 

* ADVENTURE 

* GROWTH 

* POWER 

* FULFILLMENT 



TO GROW MEANS LOSS - LOSS MEANS MOURNING 
SO THAT NEWNESS CAN COME IN 


Figure 2-4. Must Lose to Gain 

When Robert Ryan went from being a dynamicist to a manager, giving up doing the 
analysis was very hard. Many times it would have been easier and quicker to accomplish the 
job himself, yet development of people meant turning loose and letting them do the job. When 
he moved to the position of deputy lab director the change was dramatic. Engineers, who felt 
free to come into his office before, now felt constrained. The furniture, the office size. 
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location, etc. was a turnoff to openness. After some times of frustration, he started going to 
the engineers instead of having them come to his office. This helped eliminate some of the 
feelings of isolation but never totally solved the problem. Other roles replaced the old roles 
and growth occurred. Growth always means loss [Tournier, 1966]. Recognition of the 
principle is very important. It explains why people are reluctant to give up the security, 
friends, etc. of the place to take on the adventure of discovering a new place. Choice is 
difficult because it means giving up something. Coaching and mentoring people will bring the 
coach and mentor in constant relationship with this principle as people are trying to grow by 
making choices. 

H. Expectancy Theory (Pygmalion Effect) 

People tend to learn/accomplish what you expect them to do. This is called the 
Pygmalion effect or principle. Let them know what you expect and believe they can do it. In 
general they will surprise you in what they accomplish. [Livingston, 1988] 

I. Follow-up and Feedback Successive Refinement 

Learning follows the principle of successive refinement. Figure 2-5 follows the Learn, 
Commit, Do spiral. Bob Guns shows the principle as five levels of learning. [Guns, 1996] 
They are acquisition, use, reflection, change and how. The process is repeated for each new 
learning activity. These principles and models strongly indicate that growth takes time. In 
other words you can’t bypass nature. Many have said that on the average it takes 20 years to 
mature an engineer. Learning then requires commitment, action, then thinking about what 
happened and how, then making a change and repeating the process. 



Figure 2-5. Model of Successive Refinement 

Feedback is the principle involved in refinement. Feedback has four basic sources. 
The sources are: personal/self, mentor/coach, peer groups/others and supervisors. There 
are two types of feedback: To encourage and reinforce and to modify and correct. The latter 
can be unpleasant; but must be accomplished when the job being done is very critical or is 
detrimental to the individual. The general principle is to encourage and reinforce the positive 
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behavior. If this feedback is done properly the positive will, over time, supplant the negative. 
Cliff Wells when he was coaching basketball in Louisiana, said, “Praise 10 times for each 
time you criticize.” 

There are many factors of feedback, as noted on Figure 2-6. It is a continuous process 
(real time) that involves a clear understanding of lags and the do loop shown on the figure. 
The do loop starts with mission/vision, then learns. Action is created from the learning. The 
act is then evaluated in terms of the vision providing new learning and action. The difference 
between the vision and current reality creates the “dynamic tension” fueling growth. The 
degree of follow-up is based on task complexity, consequence of failure, employee capability 
and the morale and development of the employee. Bob Guns lists 9 principles of feedback, 
shown on the figure. The bottom line is never attack the employee personally. The principles 
are clear without interpretation. In summary feedback is both positive (encouragement) and 
negative (criticism). Both are necessary; however, concentrate on the positive, eliminate the 
negative, as the old popular song goes. 


Feedback/Follow-up 


• The right degree of follow-up should address: 

- the complexity and importance of the task, 

- the consequences of failing to meet the deadline, 

- the capability of the employee, and 

- the morale and development of the employee. 



• Principles of Giving Feedback 
from “The Faster Learning Organization” by Bob Guns 


1 . Be helpful, not punitive. 

2. See whether the person is open to feedback. 

3. Deal only with specific behavior, not generalities. 

4. Deal only with behavior that can be changed. 

5. Describe the behavior; don’t evaluate it. 

6. Explain the impact the behavior has on you. 

7. Use “I” to accept responsibility for what you’re saying. 

8. Make sure what the person heard was what you intended. 

9. Encourage the person to check the feedback with others. 


Figure 2-6. Feedback and Followup 


J. Role Modeling 

Role modeling is another way people develop. When Robert Ryan first married they 
shared a living room with a family who had two boys. Robert would sit and loop his leg over 
the chair arm. Jackie would try to mimic him but his legs were too short. One day he said, “I 
can’t do it.” Organizations need good role models both live and in their stories. There are 
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many stories at MSFC of role models used, which were unsuccessful since the role of the 
model did not fit the personality of the one mimicking. The role models must fit the person 
and the organization. Countless models exist on the positive side. Observe how people will 
dress, speak; etc. to mimic a role model. Many role models at MSFC and all organizations 
are Legends that influence way beyond their active employment time. Dr. Von Braun is a 
great example. 

K. Guidance and Control Theory 

The guidance and control theory of growth is based on the principle of the guidance 
and control of space vehicles. The control system handles the short term disturbances by 
correcting the vehicle attitude against a reestablished path attitude. (Some form of 
optimization) Guidance is concerned with keeping the vehicle on the path to the goal (orbit). 
The guidance gains get tighter the closer the vehicle gets to the target. During peak 
disturbances guidance usually is de-emphasized and control becomes one of relieving the 
disturbances versus maintaining the guidance-prescribed attitude. An example is load relief 
control during high winds and high dynamic pressure, where the vehicle is turned into the 
wind to reduce loads. This load relief control introduces drift away from the ideal trajectory, 
thus some performance loss, in order to reduce the loads. Maintaining attitude would 
probably break the vehicle or result in large increases in structural weight thus reducing how 
much payload can be put in orbit. People should be developed, managed in the same 
manner. Greenleaf says, “You need enough control to maintain order, but not so much that it 
kills the creativity and innovation of the organization’s people.” Successful growth personally 
and organizationally requires the maximum expression of creativity of its people. [Greenleaf, 
1977] 

L. Communication 

Two descriptions have been useful in featuring specific aspects of technical 
communications as applied in the design process. The first is the T-model and the second is 
communications in the design process. 

The T-model is shown in Figure 2-7 and is so named because of the horizontal and 
vertical components. It is a global model that focuses key features of technical integration. It 
delineates the system (horizontal) along with subsystems, design functions, or disciplines 
(vertical) while emphasizing the importance of formal and informal integration. 
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< System Connections -> 

Formal Integration 


Subsystems 
< Design Functions 
Discipiines 


Figure 2-7. T- Model for Technical Integration 

The horizontal portion of the “T” represents the System. The upper level (above the 
dashed line) of technical integration has been known by interchangeabie names as system 
integration, formal integration, or top ievel integration. The ieader and his office are the 
primary faciiitators or operatives at this levei of integration. The emphasis of this technicai 
integration is primarily related to the systems aspects of the design process, i.e., technical 
management, certification of the system, etc. The primary focus is delivering the product with 
the proper baiance of performance, cost, reliability, safety, operabiiity, scheduie, and TRL. 
Balance is achieved via managing and resoiving confiict. All system related decisions and all 
system related technical conflicts are respectiveiy made and resoived at this ievel. In 
addition, all system planning, controi, and documentation is maintained at this ievel. 

Technical integration beiow the dashed crossbar is informal and is a key enabler for 
achieving a successful design. The vertical bars relate to subsystems, design functions, or 
discipiine functions. There are a number of combinations of these ( subsystems, design 
functions, or discipline functions) that require informai horizontal integration. The emphasis 
here is informai integration (communication) between and among subsystem, design 
function, or discipline while including the system. It can be hall-talk, phone calls, inter-office 
discussion, technicai interchange meetings, etc. or other forms of communications. Since 
there are many vertical legs that affect each other, informal integration among these 
eiements is criticai. The functional organizations are the primary operatives of integration for 
discipiine-to-discipiine aspects of the design process, while the engineering design functions 
are the primary facilitators of integration for the subsystem-to-subsystem specific aspects of 
the design process. Recall, the vertical legs of the “T” also represent discipline activities 
(analyses, tests, simulations, etc.) associate with subsystems and design functions. They 
signify in-depth knowiedge (in the vertical direction) but with a system perspective. This in- 
depth knowledge is required to be accurate and with the associated uncertainty defined. 

A classical example of the T-Model is the game of basketball which is both a team and 
an individuai emphasis sport. The verticai iegs are the fundamentais of the game such as 
passing, shooting, dribbling, footwork, hand and finger position on the bali, screening. 
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blocking etc. Basketball is played with the ball being controlled with the finger tips not the 
cup of the hands. Footwork is first played on the ball of the feet and movement is by shifting 
without crossing the legs. In guarding an individual you in general don’t slap down on the 
dribbler but slap up or to the side otherwise you get called for a foul. These are examples of 
informal interactions. The systems part is both formal and informal. The formal takes place by 
the team running patterns and then informal takes place by taking advantage and adapting to 
what the defense does such as the back door, or the pick and roll. The jump ball and out of 
bounds situation etc. are additional examples of formal activities. 

Shown in Figure 2-8 is the second form of technical communication. The design 
process depicted in the figure is described in Lesson 4; the figure is used here to illustrate the 
need for extensive communication within the process. While the T-model description is 
global, this figure more specifically depicts technical communications as related to the 
compartmentalized design process. It shows the scope and variety of integrated 
communications needed. This can be seen by observing the interactivity among subsystems, 
design functions, and discipline functions; along, with their associated Ixl and NxN diagrams 
(data flow). In addition, the V-diagram from Classical Systems Engineering indicates the 
need for system integration to provide discipline, planning, balancing the system design, etc. 
to support the design process. Furthermore, the main aspects of Safety and Mission 
Assurance are illustrated: Safety, Reliability, and Quality. The ultimate goal is to achieve a 
balanced design. 



I 

System Design Process 


S««poit to Total Process 

- Esuntnii at Dssvi 
-AtfMcetrofflEjqicrts 

- LsHOos Learned 


Highly interactive communication required by 
compartmentalized design and life cycle process. 


Figure 2-8. Communications in the Design Process 
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® A key message from Lesson 2: 

Apply Principles Related To: Nurturing Interactive Skills 
Balancing Our Roles, Needs, and Communication 


Principle II: Space Systems Are Challenging, High Performance 

Systems 

The physics of flying into space demand that maximum energy must be extracted from 
the chemical energy source. This transformation from potential energy to kinetic energy must 
be very efficient, pushing the limits of current technology. The same Is true of the structural 
or dry mass of the system. Here the limit is pushed by current technology to make the 
structure very light, but very strong. In addition losses that occur in terms of how we fly the 
system must be stringently managed and controlled. In other words we can just barely make 
orbit with the technologies available today. These factors result in a requirement for high 
performance systems that drive large sensitivities and unwanted interactions. 

Lesson 3: Demand for High Performance Leads to High Power 

Densities and High Sensitivities 

® Demand For High Performance Leads To High Sensitivities and Power Densities 

® High performance launch vehicles are required to deliver payloads to specific 
orbits. To accomplish this, they must overcome gravity and attain enough 
velocity to achieve a stable orbit. 

E3 Consequences: 

Systems Pushed to the Limits: 

1. Chemical Propulsion System Efficiency 

2. Structurai Mass Efficiency 

3. Losses Minimized 

Eii Current Technoiogy Just Barely Enables Us to Make Orbit 


Figure 3-1 shows this challenge in terms of engineering, costs, and project 
requirements. The physics of the problem dictates that engineering must design high power 
density systems, very efficient propulsion and structural systems, and manage all the losses 
efficiently and effectively. This must be balanced with cost and project requirements of 
operability etc. This results In a high risk system in comparison to all other known 
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transportation systems. Mission success is paramount, especially if manned flight is involved, 
dictating that the risks must be managed and mitigated in an effective manner. When risks 
are coupled with costs, this balancing the system becomes a very difficult and complex 
problem. 


Highest Order Challenge 


• Mission Statement: Insert payloads into specified orbits per the given mission model within 
cost, reliability, operability, safety, and schedule requirements. 




Engineering Challenges: 

• High-Energy Densities 

• Propulsion Efficiency 

• Mass Efficiency 

• Managing Losses 

- Trajectory Losses 

- Uncertainties 



• Project Requirements: 

• Performance 

• Cost 

• Reliability 

• Operability 

• Safety 

• Schedule 
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Figure 3-1. The Complexity of Managing High Risk Systems 


Figure 3-2 puts the challenge In perspective by comparing the power density of 
common transportation engines with the Space Shuttle Main Engine (SSME). Plotted is 
horsepower per pound for an auto engine. Indy race car engine, small jet engine, large jet 
engine and the SSME. Notice that the car engine has a ratio of 0.54 while the SSME has a 
ratio of 879. If an average car engine was built to the same power density and efficiency as 
the SSME it would weigh about 1/4 of a pound. The structural efficiency required is also 
extreme. For example. If an aluminum Coke can was made at the same structural efficiency 
as the Space Shuttle External Propellant Tank, its skin would be 1/3 the thickness it is today. 
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Power density comparison of automobiie, jet, and rocket engines 



Figure 3-2. Power Density Comparison of Transportation Systems Engines 


All of this high power density and high efficiency comes with a price as illustrated on 
Figure 3-3. This chart depicts a design principle that can be extracted from the history of 
space systems and says that the higher the performance requirements, the higher the 
sensitivity of the system to design and performance parameter uncertainties. This is a generic 
curve which represents a number of different physical systems. For example the structural 
SN Curve for fatigue is the inverse of this curve. A plot of vehicle dry weight versus dry 
weight margin will basically trace this generic curve. What this means then is that as we 
move out on the performance curve, our design, verification and operations challenges go up 
non-llnearly with the Increase in performance requirements. It means that great attention 
must be used to design, build, verify and operate these high performance systems. The 
complexity factor of these systems also makes it much more difficult to predict and 
understand the system induced interactions. Poole in his book, “Beyond Engineering: How 
Society Shapes Technology” says that the complexity factor leads to most of the failures and 
Is very difficult to predict. [Poole, 1997] He also concludes that this results not only in a 
technical complexity, but in organizational complexity as well. There are many problems that 
occurred In the SSME that can be shown to be a direct result of the high performance 
requirement, which will be discussed later. 
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Sensitivity versus Performance 



• The higher the performance requirements the greater 
the system sensitivity to weight, cost, parameter 
uncertainties, manufacturing fiaws, etc. 


Figure 3-3. Sensitivity Versus Performance Requirements 


Figure 3-4 shows the sensitivity of a single-stage-to-orbit vehicle, where dry weight 
plotted versus weight contingency in per cent. The same nonlinear trend is shown as for 
Figure 3-3. 

Weight Contingency Sensitivity 



Single Stage to Orbit launch 
vehicles are very sensitive to 
the technologies used and to 
the weight margins assigned. 

A Current AL material and 
SSME propulsion system 

□ Composite materials 

• Combined cycle engines 

X Combination of 
composites and 
combined cycle 
engines 


Figure 3-4. Dry Weight Versus Weight Contingency in Percent 




In conclusion, high performance requirements lead to high power densities and 
sensitivities, which require in-depth understanding and intricate baiancing of the system to 
achieve success. 

® A key message from Lesson 3: 

High Power Density Systems Require: 

• in-depth Understanding 

• intricate Baiancing 


Principle HI: Everything Acts As A System (Whole) 

Overarching design and Technicai Integration principies are summarized on the 
foilowing list. They are the foundation and summary of what foiiows in this section, as well as 
in other sections. 

• Physics and other governing principles (cost, ... ) rule all design activities. 

• Everything is a System composed of complex interacting parts that have a best 
balanced state. Attempting to operate out of that balanced state is very costly. 

• The best balanced state is achieved by understanding sensitivities, uncertainties 
and margins — ► leadstothequantificationof risk and design confidence. 

• Present design practice of complex systems entails compartmentalization 

- Subsystems, design functions, and discipline functions. 

• Overcoming complexity and balancing the design requires Technical Integration 

- Interactive activity among all participants in the design process 

- Compartmentalized parts are designed and reintegrated into a balanced 
and verified product 

• Technical Integration is enabled through formal and informal communications 
following the T-Model philosophy. The in-depth elements must be accurate 
while operating in a system role. 

• The innovation, creativity, and decision making skills of the people form the 
basis for successful design. 
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Embodied in these principies is the idea that while we can easiiy identify compiex 
systems as a whole entity; many are composed of complicated subsystems and parts that 
must be designed to robustiy and interactiveiy function to support the system life cycie needs. 

This section contains three iessons: 

4. System Engineering and Technicai Integration is the Linchpin of Project 
Success 

5. Risk Management 

6. All Design is a Paradox, a Balancing Act 


Lesson 4: System Engineering and Technicai integration 
is the Linchpin of Project Success 

System engineering and technical integration are concerned with validity of analyses, 
tests, and simulations; software and hardware integration; interfaces compatibiiities; 
interactions; validation; ... all of which are necessary for product success. Along with the 
basic iesson are the foilowing coroilaries: 

® 70 to 80% of all problems we encounter In design are caused by a breakdown in 
Systems or Technical Integration. Said differently, problems, in general, were not 
due to undiscovered or missing theory, but to the neglect of basic system 
principles . 

® Dick Kohrs said, "Systems Engineering is 95% communication and 5% 

engineering. " Yet we must maintain very honed specialist skills or there is nothing 
of value to communicate or integrate. 

Eii Technical integration is crucial to the design process. Make every effort to 
encourage technical integration, and to assess that it is being done. 

Eii Communication is the key, the predominant part of technical integration. 
Eii The most effective integration communication is informal. 

E'3 Understanding the physics of interactions is key to integration. 

E'3 Continuously check requirements and their flow, their verification. 

E'3 Continuously check assumptions. 

The above statements emphasize basic system principles. Yet while emphasizing the 
system aspects, we must maintain very honed speciaiist skiiis or there is nothing of value to 
integrate. These speciaiists are required to understand and quantify the vaiidity of their 
results; in addition, to specifying the sensitivities, uncertainties, and margins associated with 
those results. General reference for this total section is [Biair, et. ai., 2001]. 
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An important element that overshadows the design process is Technical Integration. 
Technical Integration is an interactive activity among all members of the design community 
where the compartmentalized subsystem ^ parts are designed and then reintegrated into a 
balanced system design that can be verified and validated and will operate at acceptable risk. 
Every effort should be made to ensure that technical integration is being accomplished. As 
mentioned above, communication is a key factor in achieving technical integration and, as is 
evident, informal communication is a pervasive aspect of technical integration. 

In the design of complex systems where there are high power densities, it is not only 
important to understand the physics but also associated interactions. In many situations the 
bleed off of a “slight” amount of energy can lead to instability. This is a situation where small 
differences can have as enormous impact. In addition, requirements can change as a result 
of maturing the design. Requirements, as well as, assumptions should be tracked and 
verified at each stage of a “design and analysis cycle” (DAC). 


In order for the design process to work efficiently and take advantage of the state of the 
art (SOA) knowledge base, the STS must be compartmentalized into workable units after the 
mission and programmatic requirements are defined. The SOA information exists in three 
types of organizations: (1) Industry, (2) Government, and (3) Academia. The capabilities and 
knowledge bases of these three organizations represent the SOA and they capture 
standards, monographs, technologies, manufacturing processes, etc. This capability and 
knowledge base is a major resource for achieving successful designs where there are high 
power densities and extreme environments. Listed below are examples that illustrate the 
main points in the narrative associated with Lesson 4 

• Characterization of Design Process/Technical Integration 

• Shuttle First Flight Aerodynamic Anomaly 

Characterization of the Design Process/Technical Integration 

The purpose of this example is to provide an overview of the design process and 
illustrate technical integration. More detail about the design process can be found in [Blair, 
et. al., 2001]. The design process consists of various features and providing an explanation is 
analogous to “peeling an onion”. An insight will be gained of the overall process. While 
understanding the process, the reader should understand where she/he fits and with whom 
they interact. Furthermore, the illustrations represent functions that are required to achieve 
the design and are not to be confused with organizational charts. Finally, functions and 
activities associated with the design process are independent of the organization and project. 

Shown in Figure 4-1 below, is the project life cycle flow. It can be seen that it starts 
with the Mission Statement then goes to Requirements. The design process starts with 
defining Architectures and proceeds through Detail Design. Then the product is built, 
verified, and operated. From the initial design activities through Detail Design there are a 
number of cycles associated with DAC and verification tests. While the life cycle process is 
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as shown, there are cyclic layers as the design matures; the level of design detail increases 
as well as the supporting data associated with analysis, test and simulations. 

Principles and Characterization of Design Process 



Figure 4-1. Project Life Cycle Flow 


As noted in Figure 4-1 , the mission statement and requirements definition precede all 
the design activities. Before anything can be designed, all of the requirements must be 
known. There have been projects in the past where the requirements were not adequately 
defined and the unintended consequences were significant cost over-runs. Initially, the top 
level requirements are defined, such as, orbit, payload definition, cost, schedule, safety, top 
operational requirements, etc. Then derived requirements have to be developed to fully 
accomplish the design of the system, subsystems, components, and parts. As the design 
continues requirements are continually defined, iterated, verified, and documented. 

The central part of the life cycle, i.e., from Architectural Generation to and including 
Detail Design, is enabled by compartmentalization and reintegration, see Figure 4-2. While 
compartmentalization is necessary to accomplish a design, it does add complexity. The 
process starts with the initial launch vehicle definition and ends with the final total Integrated 
system configuration. Firstly, the system is compartmentalized into subsystems (hardware 
pieces). This creates interfaces that have to be tracked via interface requirement documents 
(IRD) and interface control documents (ICD). Each subsystem is then compartmentalized 
into design functions that design the subsystem so that the attributes of the subsystem meet 
the derived requirements. To achieve the design, the design functions are 
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compartmentalized into disciplines. The disciplines provide design results determined from 
analysis, test and simulations. 



Figure 4-2. Compartmentalization and Reintegration 


Thus the system is compartmentalized, now it must be reintegrated to obtain a totally 
integrated system design. Firstly, the disciplines are reintegrated. Adequate analyses, tests, 
and simulations are required to be accomplished. Then sensitivities, uncertainties, and 
margins need to be defined to provide information for risk assessment. Next the design 
functions are reintegrated. It must be assured that the attributes of the design meet the 
derived requirements. Furthermore, they are required to be verified. In addition, account of 
all Interactions and nonlinearities has to be included. Finally, based on all knowledge of the 
design, a risk assessment is developed. This activity includes, at least, designers, 
disciplines, and S&MA. The final level of reintegration deals with subsystems and addresses 
interfaces. Specifically, the physical, functional, and informational flow across interfaces must 
be matched. Also Interactions and nonlinearities related to the total system must be 
addressed. System integration and verification, operational constraints, and system risk are 
also considerations. A total Integrated system design Is achieved when compartmentalization 
and reintegration are completed. 

Figure 4-3 provides additional insight in the compartmentalization process. The major 
activities and products associated with subsystems, design functions, and discipline functions 
are shown. 
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Subsystems Design Functions Discipline Functions 
(Subsystem Manager) (Designer) (Discipline Specialist) 


Activities 

Managing all 
activities 
associated with 
design of the 
subsystem 

Conceiving and 
designing 
hardware, 
software. & 
processes 

Analyzing, 
testing. & 
simulating 

Products 

Hardware & 
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Results of 


Software 
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analyses, tests. 




& simulations: 




databooks 


Figure 4-3. Compartmentalization Elements 


Further insights, i.e., “peeling the onion”, into the design process can be gained in 
consideration of Figure 4-4. Shown here is an illustration of subsystems and design 
functions. Note; requirements flow down, design attributes flow up, and interfaces are 
created. In the middle of the figure is an example of a system and some of its subsystems. 
For example, follow the solid blocks; they go from the launch vehicle system to the propellant 
conditioning system. Each is designed by the design functions indicated with the dashed 
arrows. At the top left is the system set of design functions with the top design function being 
the launch vehicle system plane. It Is responsible for all technical aspects of the system 
design. That includes classical system engineering, technical integration, hardware/software 
integration, etc. In addition, the system design plane orchestrates and integrates the design 
activities. In a similar fashion the top plane for each subsystem performs a similar activity. 
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Figure 4-4. Typical Subsystems with Associated Design Functions 


Technical integration of the system, design, and discipline functions are shown in 
Figure 4-5. The design functions are listed on the right of the figure. They provide the 
drawings, specifications and/or data books associated with each design function. For 
example, the aerodynamic design function provides the vehicle shape (outer mold line) and 
associated data books; trajectory/performance designs a balanced trajectory to achieve the 
target destination for the payload within all constraints, structures provides drawings and 
manufacturing specifications and so on. However, the system plane is responsible for all 
technical aspects of the system design. That includes classical system engineering, 
technical integration, hardware/software integration, etc. In addition, the system design plane 
orchestrates and Integrates the design activities. 
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Other 


Figure 4-5. Technical Integration of System, Design, and Discipline Functions 


The vertical conduits labeled requirements, architecture, and philosophy indicate 
formal flow of the associated information and they are controlled by the system. The system 
design is achieved in an iterative fashion via the design functions. Initially, a small group 
composed of representatives from each design function evolve a conceptual design(s) after a 
number of iterations. As the design matures through the DAC cycle process, the number of 
participants increases as well as the supporting data base. However the basic idea shown in 
Figure 4-5 remains in place but on a larger scale. The yellow conduit represents informal 
integration between the design functions and this is a key factor in achieving a balanced 
design. In addition, there is also significant informal integration within each design function. 
As the design converges, reintegration takes place and the converged attributes (green 
conduit) of the design formally flow to the system plane where they are eventually put under 
configuration control. If a balanced converged design with adequate margin can’t be 
achieved, more iterations may be required or some system level requirements may have to 
be changed. 

We have discussed the stack of design functions that are required to design a system 
or subsystem. Now consider the process that takes place within a design function (i.e., what 
happens on the design function planes). This is where the design functions are 
compartmentalized into discipline functions. As an example, consider the Structures design 
function shown in Figure 4-6. The block titled “Design” represents the structural designer on 
the CAD machine, who is responsible for taking the requirements, architecture, and 
philosophy from the Systems plane and synthesizing a structure that meets those 
requirements. In accomplishing this, he/she is supported by a number of discipline functions. 
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some of which are illustrated on the diagram. These include Natural Environments, 
Materials, Thermal, Control, Loads, and Stress. These discipline functions perform analysis, 
test, and simulation, and provide the necessary databases. Discipline functions also are the 
keepers of standards for their respective technical areas. 



System 



Other 


Figure 4-6. Structures Design Function with Discipiine Functions and Decision Gates 


The discipline functions provide the designer with information necessary to determine 
if the structural design will meet requirements. This is a very iterative process that requires 
extensive communication among the parties involved. Typically the designer hypothesizes a 
design (geometry, materials, etc.) from his/her experience base and imagination, informed by 
interactions with the discipline functions. The hypothesized design is analyzed to determine 
its attributes, which are compared with the requirements. 


Note: The designer’s activity can be thought of as an input/output process where the 
independent variables are the choices made by the designer (the design variables) and the 
dependent variables are the characteristics and qualities of the resulting design (the design 
attributes). 

The goal, of course, is to have the attributes match the requirements. This is shown 
diagrammatically as a single decision gate on the Structures design function plane. 

However, since there are multiple requirements to be met, there are multiple gates that must 
be successfully passed. Examples of these gates are shown on the diagram below the 


46 






design function plane. They include attributes such as structural strength, endurance, and 
weight, accommodations of propulsion and thermal protection, and manufacturing and 
assembly compatibility. Notice that along with these measures the gates include cost and 
“-ilities” such as operability. When the design has been iterated to the point that its attributes 
successfully pass all the gates, the Structures design function can feed the structural design 
and its attributes up to the System plane, and output the drawings and specifications. 

This process obviously does not occur in one pass, but requires many iterations and 
tradeoffs. Design inherently is a balancing and tradeoff process. To arrive at an acceptable 
design, there are multiple tradeoffs and iterations among the discipline functions and the 
design functions. We will not achieve a successful design unless there is intensive 
interaction and communication among all the participants. Iterations may also be required 
with the System plane, particularly if requirements relief or reallocation is required. 

These highly-connected functions and activities involve flowing a great amount of 
information. How is all that information managed? Input-output matrices can be useful in 
identifying and providing locators for information needed by the various participants. 
Information flow among the subsystems can be envisioned on an “I x I” matrix where the 
subsystems are on the matrix diagonal, outputs from a subsystem are on the horizontal of 
that element, and inputs to the subsystem are on the vertical. Information flow among the 
design functions and the discipline functions is represented on an “N x N” matrix that has a 
similar layout. The matrices provide placeholders to identify and locate information that is 
required for the integration process. In some cases, the matrix information is formally 
identified, for example in subsystem interface control documents and design and analysis 
cycle data books. 

Recall that Technical Integration is an interactive activity among all members of the 
design community where the compartmentalized subsystem ^ parts are designed and then 
reintegrated into a balanced system design that can be verified and validated and will operate 
at acceptable risk. The Technical Integration process is represented in Figure 4-7. 
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Figure 4-7. Technical Integration 


There are two essential activities that overlay the Technical Integration process: 
Classicai Systems Engineering and Safety and Mission Assurance (S&MA). 

Classicai Systems Engineering provides the framework, process controi, and 
documentation for the Technical Integration process. (Figure 4-8) It is represented by the 
classical Systems Engineering “V” that follows the design life cycle from requirements 
through deveiopment and manufacturing, verification at component/subsystem levei, then 
systems verification, certification, and operations. 
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Systems Plane Responsibility: Ensure the system will 
satisfy all requirements and constraints for the entire life cycle. 


Figure 4-8. Classical Systems Engineering 


Safety and Mission Assurance activities are an inherent part of the design activities. 
(Figure 4-9) S&MA has three main components: (1) System Safety deals with hazard 
identification, detection, and mitigation; (2) Reliability identifies failure modes and causes, 
along with their associated probabilities; (3) Quality addresses process control and 
verification of the as-built hardware and software. 
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Safety: Hazard detection and mitigation 

Reliability: Failure modes, causes and associated probabilities 

Quality: Process control and verification 


Figure 4-9. Safety and Mission Assurance 


Overlaying Classical System Engineering and Safety and Mission Assurance onto the 
Technical Integration diagram then summarizes the Technical Execution of the Design as 
represented in Figure 4-10. 
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Figure 4-10. Technical Execution of Design 

Achieving successful products clearly requires proper Technical Execution of Design. 
It also must have astute Project Management and be undergirded by the right Individual and 
Organizational Culture. This interactive triad of essential elements, Illustrated on Figure 4-1 1 , 
work together to produce products that successfully meet their objectives. These elements 
are addressed further in a separate report on Engineering Excellence. 
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Figure 4-1 1 . Elements of Product Success 


Shuttle First Flight Aerodynamic Anomaly 

The Space Shuttle is a high performance, intricately balanced launch system with 
complex interactions. These factors combined to generate a highly sensitive and hard to 
predict set of complex interactions. The first launch of shuttle STS-1 (Figure 4-12) produced 
several surprises. 



Figure 4-12. STS-1 Space Shuttle Launch 


The first was the liftoff SRM propulsion induced overpressure problem which yielded 
the RCS system attachment arms and produced large dynamic oscillations of the vehicle. 
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These phenomena will be discussed in a later lesson. The second surprise occurred during 
ascent when two anomalies occurred. First, the vehicle lofted significantly more than was 
predicted indicating that there was an unpredicted bias moment acting on the vehicle. The 
vehicle at SRB separation was approximately 10,000 feet higher than predicted. The second 
anomaly had to do with the orbiter wing loads. The trajectory had been designed to fly the 
vehicle conservatively at a predicted 65% of the design limit load; however, the strain gauges 
showed that the wing was experiencing up to 100% of the design limit load in some areas. 
The two effects were due to the same cause. In designing the vehicle, wind tunnel tests were 
required to develop the vehicles aerodynamic characteristics. In order to accomplish an 
adequate test, the propulsion system plumes, including the atmospheric effect on their shape, 
had to be simulated using a solid plume. Analytical techniques available to make the estimate 
of plume characteristics at that time were crude and thus gave an inaccurate answer. The 
plumes, in conjunction with the tunneling effect between the Orbiter wings and the External 
Tank and the Solid Rocket Boosters, altered the aerodynamic distribution on the Orbiter wing, 
creating the unpredicted moment and the increased loads on the Orbiter wings. Figure 4-13 
illustrates the effect. Initially no one believed the strain gauge and aerodynamic pressure 
data, requiring that all the strain gauges be recalibrated. This recalibration showed that the 
strain gauges on the flight were accurate. Many thought that the pressure gauges were 
recessed too deep causing them to give inaccurate data; however after working the problem 
there was indeed a bias moment on the vehicle from the aerodynamic characteristics. 

Space Shuttle Aerodynamics 




Figure 4-13. STS-1 Space Shuttle Aerodynamic Anomaly 

The solution to the problem was complex. If the Orbiter wing was beefed up to handle 
the increased loads there would be a 5,000 pound payload loss and a schedule slip of the 
next launch by 2 years. An alternate fix involved flying the vehicle at a -6 degrees angle of 
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attack instead of the original -2 degrees at a payload penalty of 5,000 pounds. In addition the 
leading edge of the Orbiter wing had minor structural beef-up and the External Tank 
protuberances had to be requalified to the new loads. Even with these fixes the original total 
structural capability was not gained, requiring that a Day of Launch l-Load Update approach 
be added to the operational procedures to bias the trajectory to a wind profile measured 4 
hours prior to launch. Figure 4-14 shows the original Q-alpha envelope and the reduced 
envelope that resulted from flying the vehicle in the new way. The above information is taken 
from presentations and notes of ASFIG meetings that the authors participated in and is 
summarized in [Chaffe, 1983]. 
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Figure 4-14. STS-1 Space Shuttle Aerodynamic Anomaly and Solution 


The aerodynamic problem on the first Shuttle flight can be summarized by the 
following statements: 

• Aerodynamic design distribution was missed as evidenced on the first Shuttle flight 
STS-1 . 

• The cause was not understanding the SRM and SSME plume effects and the base 
flow interaction along with the tunnel flow effects between the ET and Orbiter. 

• Aerodynamics were predicted using wind tunnel test data where the plume shape and 
size was simulated using a solid plume. 

• Sensitivity assessment using various size plume shapes would have revealed the 
problem. 

• The Fix: Change the tilt program from -2 degrees to -6 degrees and beef-up the wing 
leading edge attachments and ET protuberances. 

• The Cost: 5,000 pounds payload and in-flight wind constraints to launch. [Or, could 
have redesigned wing with 2 year schedule hit and 5,000 lbs increase in dry weight 
(5,000 equivalent payload loss)] 
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<-> A key message from Lesson 4: 

Our Organizations and Products are Highiy Compiex Systems . Technicai 
integration is the iinchpin of their success. Definition of sensitivities and 
uncertainties is a fundamentai activity of the design and operations of space 
systems. 


Lesson 5: Risk Management 

® “Risk Management” Guides the Design with Confidence 

Eii Risk is assessed throughout all stages of the project life cycle 
Eii Risks are both developmental and operational 

o Technical [Safety (Personnel, Assets, and Environmental), 
o Performance (Requirements, Operations, and Supportability)], 
o Cost, And Schedule 
Eii Methods include: Risk Matrix and PRA 

One of the keys to success is assessing, understanding, and managing the various 
risks of the system. These risks are both technical and programmatic. The decision making 
process dictates that we make these decisions based on the total risks of the system. 
Technical risks deal essentially with potential failure modes and their probability of occurring 
as well as the severity of the failure. Programmatic risks of cost and schedule are similar in 
their approach. The technical risks also have a large impact on the programmatic risks and 
must include those impacts. Risk assessment and mitigation are major design activities that 
must be assessed throughout all stages of the project life cycle. 


Risk Overview 

Risk pertains to situations where there are undesirable and uncertain events that could 
be detrimental or have adverse consequences. In the development of space hardware, risk is 
concerned with the likelihood of occurrence of undesirable end states and the severity of 
resuling consequences. The first reference in the literature, see [Clemens, et. al., 2005], 
relating to the above risk definition is attributable to Blaise Pascal ini 662. 

Risk assessment and management guides the design through all stages of the design 
process. In the end, it provides confidence in the final design. Risk assessment pertains to 
the process of identifying and modeling potential risk scenarios, determining the associated 
probablility of a occurrence, the severity of the consequences, and actions required to reduce 
the risk to an acceptable level. Risk management is a process concerned with identifying, 
analyzing, planning, tracking, and controlling risk. 
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Concerns relating to risk occur during all stages of the design process. They pertain to 
technical , cost, and schedule risk. The main focuses of technical risk are safety (personnel, 
assets, and environmental) and performance (requirements, operations, and supportability). 
After a risk assessment is accepted it is usually prioritized by a project review team. The 
application of risk assessment and management enables the project to focus on the most 
pressing issues. In Figure 5-1 it can be seen that risk in one category can affect risk in other 
categories. 



Figure 5-1 Relationships Among Risk Categories 


The project’s goal is to balance all risk categories and bring them to a level as low as 
practically possible. 

Figure 5-2 provides a risk assessment taxonomy. It can be seen that there are two 
major legs associated with risk assessment. One method deals with risk matrix assessment 
and the other deals with probabilistic risk assessment (PRA). 
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Figure 5-2. Risk Assessment Taxonomy 


The risk matrix method usually applies to project levels 3, 4, and 5. The main purpose 
is to determine and assess undesirable events associated with technical (safety and 
performance), cost, and schedule and includes participation of engineering and S&MA. They 
determine the likelihood of an undesirable event and the corresponding severity. The risk 
assessment then goes to the project team where the priorities are determined. This 
methodology was established in the mid to late 1 970’s and continues to be refined to 
accommodate various applications. 

PRA is a method that is usually applied to project levels 2, 3, and 4. This method is 
usually applied to assess events that have a low probability of occurrence, but with enormous 
consequences, for instance: loss of crew, loss of vehicle, or loss of mission. One of the 
distinguishing features of PRA is the determination of uncertainty associated with the risk 
level. As can be seen from the figure the results are represented by a probability density 
distribution. This methodology was developed in the early 1970’s to assess risk associated 
with nuclear reactors. The first PRA for the Space Shuttle was completed in 1988 and the risk 
of loss of crew was 1/78 (current value is 1/80). In comparison the risk associated with the 
loss of crew of Ares-1 is 1/2000. 

Examples: 

• Space Shuttle SRM Ignition Overpressure 

• Saturn V lU Rate Gyro Deflection 
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Listed above are two examples that illustrate risk. The discussion that follows will 
focus on these two examples. 

Space Shuttle SRM Ignition Overpressure 

During the ignition of a Space Shuttle solid rocket motor (SRM), the maximum rise rate 
of the internal total pressure Is about 9000 psi/sec. When the SRM hot exhaust products 
(mass of exhaust gas) is suddenly injected (it takes ~ 0.5 seconds to reach a total mass flow 
of ~1 2,000 Ibs/sec) into the confined volume of the Shuttle Mobile Launcher Platform (MLP), 
main deflector, exhaust trench and side deflector elements it produces an “overpressure 
wave” that is propagated back to the launch vehicle approximately as a hemispherical, high 
amplitude wave. The result is a transient high amplitude pressure distribution that vibrates 
the vehicle system. 

Titan III flight tests about 1975 indicated high ignition overpressure (lOP) levels. In 
addition, tests at Marshall Space Flight Center Acoustic Model Test Facility also indicated 
high lOP levels; see [Jones, et. al., 1994]. Structural analysis Indicated the response was 
acceptable and a decision was made to fly STS-I as is and to assess lOP effects after the 
first flight. On STS-1 , there was a high amplitude overpressure wave that was developed that 
resulted in vibration responses on the Orbiter’s wing, body flap, vertical tail, and crew cabin 
that exceeded predictions. In addition, struts on the Orbiter’s reaction control system’s 
oxidizer tank were buckled. 

The first Space Shuttle flight was in April 1981 and the second flight was in November 
1981 . During this time an extensive effort was initiated not only to devise a means for abating 
the lOP but also implementing a design fix on the Space Shuttle MLP at KSC. During that 
period, 40 tests using a 6.4% Shuttle model, see Figure 5-3, were conducted and a design fix 
was established. Two types of fixes were finalized and these were used to reduce the lOP 
levels. One consisted of a water spray nozzle system where the water sprays were directed 
towards the SRB at two axial positions under each SRB for a total water discharge of 
100,000 gpm for each SRB. Six nozzles were positioned ~ 22 inches below the SRM and 
two other nozzles were 140 inches below the SRB. These sprays function to provide a 
substantial mixing of the water with the SRM exhaust mass flow so as attenuate the lOP 
wave. The effectiveness of the water injection alone is shown in Figure 5-4. The second fix 
was a set of 1 2 inches deep water troughs that were placed completely across the large drift 
holes and they were filled with water. This fix was designed to act as barriers to block any 
reflected waves that developed below the MLP, see [Jones, et. al., 1994]. Figure 5-5 shows 
both the water spray and water trough fixes. 
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Figure 5-3. Acoustic Model Test Facility - 6.4% Shuttle Model 


Average Space Shuttle Vehicle Measurements 



Figure 5-4. Effect of Water in Primary Side of SRB Hole on Positive Peak Overpressure 
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Figure 5-5. Water Spray System and MLP Water Troughs 


The lOP suppression fix described above was implemented on STS-2 and all 
subsequent Shuttle flights. Figure 5-6 shows the comparison of the overpressure waveform 
at the Orbiter Base Heat Shield between STS-2 (with) and STS-1 (without) the lOP 
suppression fix. 
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Figure 5-6. Comparison of the Overpressure Wave at the Orbiter Base Heat Shield 
Without Suppression (STS-1) and With Suppression (STS-2) 


Also, shown in Figure 5-7 below, is the SRB lOP peak amplitude data indicating the 
effect of the fixes. This figure indicates the trend in the data, i.e., approximate mean values. 
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SRB Ignition Overpressure, psi 


Figure 5-7. SRB Ignition Overpressure 

In the figure there are two sets of data. One set pertains to lOP levels before the fix 
and the other set is after the fix. It can be seen that the maximum level on the Space Shuttle 
External Tank before the fix was about 2.0 psi. In the model test the levels were higher. 

These levels were higher because the solid rocket motor used in the model test was not an 
exact scale of the SRB and because of the scaling factors used. However, in the tests after 
the fix, the data indicates levels that would not seriously impact the vehicle loads. Also, the 
flight data after the fix substantiates the findings that the fixes would abate the lOP and it 
would no longer impact vehicle loads. 

This is an example where the risk in the system was not correctly judged and had to be 
addressed after the first flight. 

Saturn V lU Rate Gyro Deflection 

During the development of Saturn/Apollo there were unknowns regarding the ability to 
model the dynamics associated with bending, controls, loads, aeroelasticity, etc. This resulted 
in risk regarding flight uncertainty. The design team recommended to the project office that a 
ground vibration test (GVT) be conducted to determine various unknowns and uncertainties 
to anchor the models. The project accepted the recommendation and a GVT was conducted. 
This test series uncovered a large deflection in the instrument unit (lU) at the location of a 
rate gyro. 
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In Figure 5-8 the instrument can be seen on the Saturn/Apollo along with approximate 
locations of rate gyros. It turned out that the load path of the Service Module (SM) and Lunar 
Module (LM) went through the forward portion of the Instrument Unit (lU) through the location 
of the rate gyro at the first bending mode frequency. The consequence of this situation was 
that as the vehicle flew a bending vibration sensed by the rate gyro would be sent to the 
control system and could couple in such a way that the vehicle would be dynamically 
unstable. [Ryan, et. al., TM-78037, 1980] 



Figure 5-8. Saturn/Apollo - Instrument Unit 


In Figure 5-9 is a schematic of a control rate gyro that shows its location along with an 
exaggerated view of the deflection. Also, the LM attach point (load path) can be seen with the 
control gyro located below it. In the deflected position shown, the control system would 
indicate that the vehicle was at an angle of attack as indicated when in fact it would not be at 
the sensed angle of attack. In addition, it would indicate that the vehicle would be vibrating as 
a rigid body at the bending frequency. The rate gyro was moved to a more benign location 
that reduced this effect by a factor of three and potential problem was eliminated. 
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Figure 5-9. Schematic of Gyro Mounting and Locai Deformation 

This is an example where the risk was assessed and appropriate action was to reduce 
it to a levei as iow as possible, i.e., benign state. 

From these examples it can be seen that risk must be continually assessed and managed 
throughout the project life cycle. Analysis and carefui testing with aii conditions simulated is 
best for quantifying risk; however, there can be “unknown unknowns.” In that case, the 
unknown events should be anticipated In many in-flight anomalies, there were usually 
indicators pointing to potential problems. 

® A key message from Lesson 5: 

Risk must be continually assessed and managed throughout the project life 
cycle 


Lesson 6: All Design is a Paradox, a Balancing Act 

® All design is a paradox, a balancing act. Because of conflicting 
requirements, you must take some of what you don't want, 
to get some of what you do want. 

Eii All designs must achieve acceptabie reiiability for safety. 

Eii Within this constraint, balancing must occur: 

- Among design and discipline functions (energy redistribution). 

- Among program requirements, the design, manufacturing, and 
operation pians. 

- Probiems not cured in design must be compensated for in operational 
compromises and constraints (e.g. may lead to reduced probability of 
launch). 
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- Among cost, schedule, and performance, with associated risks. 

Eii The above attributes are linked; an improvement in one attribute typically 
produces a detriment in another. 

Eii The balancing act requires open communication and key decision 
judgments. 

Lesson 6 deals with balancing the system among its set of conflicting requirements 
and performance metrics. We accomplish design in terms of the requirements/constraints 
using trade studies. Trade studies drive out the differences in design alternatives and 
illustrate the strongly coupled nature of space systems. Sensitivities are the guiding light for 
accomplishing trade studies. How well we accomplish this balancing act using trade studies 
determines product success. David Pye says, 

“Any of these forms of energy is capable of producing changes, changes in things; 
more exactly, redistribution of matter... Now whenever a change is made by passage of 
energy and a result is left, this event takes place in a group of things. Things are always 
together. They do not exist separately... All you can do, and that only within limits, is to 
regulate the amounts of the various changes. This you do by design.” 

“The requirements for design conflict and cannot be reconciled. All design for devices 
are in some degree failure. The designer or his client has to choose to what degree and 
where the failures shall be.” 

“You must take some of what you don’t want in order to get some of what you do 
want.” [Pye, 1969] 

Thus, design is paradoxical. As a consequence, we balance the system to the degree 
possible among conflicting requirements. Because of the demanding, high-performance 
nature of launch systems, this balancing act associated with their design is especially 
challenging. Balancing must occur within the performance attributes of the system, and there 
must be balancing among technical performance attributes, the -ilities, and the programmatic 
attributes of cost and schedule. There can be tradeoffs between payload delivery capability, 
vehicle robustness, launch probability, and operational complexity. Problems that can’t be 
cured in design must be compensated for in operational compromises and constraints. 
Knowledge of system risks Is necessary to make correct tradeoff and balance decisions. The 
balancing act requires open communication and key decision judgments. 

Tradeoffs are made at essentially every level to achieve the desired balance. An 
example of performance based trade studies is shown in Figure 6-1 . Each of the design 
functions shown has options that can be explored to meet its requirements, and can be 
traded within its own area. There are also trades among the design functions, as well as 
trades with the total system. An actual trade space would have many more options than just 
the few illustrated here. 
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Figure 6-1. Example of Performance Based Trade Studies 


Figure 6-2 illustrates the fact that the design process is a baiancing act, seeking the 
best design baiance point among all the many interacting elements. Balancing must occur 
among aii technicai and programmatic aspects of the project. 



Figure 6-2. Design Process Balancing Act 
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Examples: 

• Balancing Payload Performance, Trajectory, Control, Loads, Thermal 

• Load Relief / Performance T rades 

• Wind Biasing 

• Saturn V Load Relief Trade 

• Operations versus Vehicle Performance 

• Solid Rocket Booster Water Impact / Recovery 

Balancing Payload Performance, Trajectory, Control, Loads, Thermal 


For the ascent phase of flight, there are a number of flight mechanics parameters that 
must be traded to achieve the best balance of payload mass to orbit, launch availability, 
operational complexity, and system robustness. They include trajectory, control, loads, and 
thermal environment (Figure 6-3). The basic trajectory is determined to maximize payload 
mass delivered to orbit. The control system orients the vehicle to follow the optimal 
trajectory. The more closely the vehicle can be controlled to the optimal trajectory, the more 
payload mass can be delivered to orbit from a flight-mechanics viewpoint. However, when 
the vehicle encounters winds, holding tightly to the optimal trajectory causes the aerodynamic 
loads to be relatively high. Higher aerodynamic loads require stronger, heavier structure, 
which reduces the payload mass delivery capability. We can relieve the wind-induced 
aerodynamic loads by turning the vehicle to reduce the angle of attack; however, this causes 
the trajectory to deviate from optimal. So there Is a tradeoff required — a balancing act. 
Thermal environments can be affected by the flight path during the latter part of atmospheric 
ascent, so those considerations are also part of the balancing. 



Figure 6-3. Balance Performance, Trajectory, Control, Loads, Thermal 
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One of the most highly tuned and balanced systems is the Space Shuttle. The Shuttle 
is a stage-and-a-half configuration with a winged, reusable Orbiter. This means that it is 
extremely sensitive and must be reevaluated after any change, however small. It must 
“thread the needle” through its many tight constraints. As a consequence, it is operationally 
expensive, requiring much continuing attention. [Chaffe, 1983] 

Load Relief / Performance Trades 

Typically, the best balanced system involves reducing the wind-induced aerodynamic 
loads to allow a lighter structure. There are three techniques commonly used to reduce these 
loads: wind biasing, load relief control, and modal suppression. Figure 6-4 summarizes the 
benefits and costs/disadvantages for each technique. 


Method Benefits Costs/Disadvantages 


Wind Biasing 

Lower rigid-body ioads, 
thus iighter structure or 
more margin; Lower 
performance variations 

Operationai 
compiexityand cost 

Load Reiief Controi 

Lower rigid-body ioads, 
thus iighter structure or 
more margin 

Path-deviation 
performance iosses; 
Controi system 
compiexity; 

Added faiiure modes 

Modai Suppression 

Lower fiex-body ioads on 
forward section of vehicie, 
thus iighter structure or 
more margin 

Controi system 
compiexity; 

Ground vibration tests 
for required modai 
accuracy 


Good vehicle design chooses the best baiance of these options, 
considering benefits, costs, risks, and robustness. 

Figure 6-4. Comparison of Load Reduction Methods 


For wind biasing, the ascent trajectory/guidance profile is biased for an expected value 
of winds occurring over a specified time period (e.g., a month). If that expected wind were 
actually experienced during flight, there would be no wind-induced load on the vehicle. Of 
course, the actual wind always differs from the expected or predicted wind, so there will be 
wind loads caused by the difference between the actual and expected (biased) winds. Wind 
biasing allows the structure to be designed to withstand only the deviations from the expected 
wind, instead of the full range of winds possible for that time period. The disadvantage of 
wind biasing is operational complexity and cost. There will be more discussion of wind 
biasing later. 
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Configuring the control system to sense and reduce the wind-induced aerodynamic 
load is designated “load relief control”. Although controlling the vehicle to reduce the 
aerodynamic load generally entails deviating from the payload-optimized trajectory, using 
load relief control provides the most favorable net payload capability for many vehicle 
designs. However, it entails the addition of lateral accelerometer sensors and filtering, which 
adds failure modes and operational complexity. 

Modal suppression is the use of the control system to actively damp some vibrational 
modes to reduce loads caused by modal tuning with wind gusts. This can reduce the loads 
on the forward section of flexible vehicles, thus allowing lighter structure or more margin. 
However, there is some system complexity introduced, and active modal control requires 
accurate knowledge of modal characteristics, which may entail ground vibration tests of the 
structure. 

Good vehicle design chooses the best balance of these options, considering benefits, 
costs, risks, and robustness. 

Wind Biasing 

As discussed earlier, wind biasing is a means of relieving loads during ascent. The 
choice of what wind-biasing time period to use for design is a tradeoff decision. See Figure 
6-5. For example, we can design for the expected (average) wind over a yearly, monthly, or 
daily (several hours) time period. In each case, the trajectory/guidance profile must be 
generated and loaded into the flight computer. Designing for a yearly wind bias would allow 
one profile to be used regardless of when the launch occurs during the year. This is 
operationally simple, but requires a strong vehicle, since the actual wind varies greatly during 
the year from the average annual wind. A monthly bias requires loading a profile for the 
specific month of launch, but reduces the design loads because wind variations within a 
month are smaller than within a year. Carrying the concept further, we can measure the wind 
on the day of launch and bias to that wind. Now the variability is much smaller, so the wind 
loads are reduced to those corresponding to only the wind variability within a few hours. The 
structure can then be lighter, but now there is a significant operational cost incurred on every 
flight, because on the day of launch the winds must be measured, the profiles must be 
generated, independently verified, and loaded into the flight computer. So a tradeoff decision 
is required. (Further details of day-of-launch biasing are given in Lesson 17.) 

If one designs for wind biasing for a given time period, the vehicle will have to operate 
with biasing for that period or a shorter period. One approach is to design for a monthly 
mean, for example, and hold in reserve the possibility of operating with day-of-launch biasing. 
This retains margin that can be used to accommodate downstream payload performance 
problems, increase launch probability, or provide mission flexibility. Figure 6-5 illustrates this 
concept. 
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Day of 

Annual Monthly launch 

No mean mean measured 

wind bias wind bias wind bias wind bias 


Design 

for 

Operate 

with 



• Operating with day of launch bias gives minimum structural load. 

•A spread between "Design for" and "Operate with" provides margin 
that can be traded for payload performance and/or launch probability. 

Figure 6-5. Wind Biasing Options and Effects 


The approaches taken for Saturn V and Shuttle are illustrated on Figure 6-6. Saturn V 
was designed for no wind biasing, so it had a very strong structure. It was operated with 
monthly mean wind biasing, so there was margin provided by the difference between the 
“Design for” and the “Operate with” points. This margin in structural capability, along with 
margin in the propulsion system, provided mission fiexibility that enabled carrying the Lunar 
Rover and iaunching Skylab, two applications that were not envisioned in the initial design. 

Space Shuttie followed a different path. Being a stage-and-a-haif vehicle, it required a 
relativeiy more efficient (iighter-weight) structure than did the three-stage Saturn vehicie. The 
initiai intent was to design for monthiy mean wind biasing. However, the effects of the 
unexpected first flight aerodynamic anomaiy discussed in Lesson 4 meant that the as-built 
vehicle was not as strong as initially intended, and required day-of-iaunch wind biasing. 

Since there is no spread between the as-built point and the operate point, there is no margin 
benefit for Shuttle as was the case for Saturn. 
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Day of 

Annual Monthly launch 

No mean mean measured 

wind bias wind bias wind bias wind bias 



• Operating with day of launch bias gives minimum structural load. 

• A spread between “Design for" and “Operate with*’ pro^des margin 
that can be traded for payload performance and/or launch probability. 

Figure 6-6. Comparison of Wind Biasing Approaches for Saturn V and Shuttle 


Saturn V Load Relief Trade 

On the Saturn V / Apollo vehicle, the usual trade study was done to determine 
potential benefits of using load relief controi. Analysis that modeled the vehicle as a rigid 
body showed that there was sufficient reduction of basic aerodynamic ioads to recommend 
using load relief controi. However, when structural flexibility was inciuded in the anaiysis, it 
was found that adding ioad reiief control significantly increased the loads on the upper one- 
third of the vehicie, due to accentuated bending response to gusts. This detrimental effect on 
the upper third of the vehicle outweighed the beneficial effect of rigid-body ioad reiief on the 
middie third of the vehicie, resuiting in a decision to not use load relief on Saturn V. [Ryan, R. 
1986, Geissier, E.D. 1970]. This exampie also illustrates the importance of employing 
sufficient fidelity in trade studies so as to avoid an erroneous conclusion. 

Saturn used analog filtering technology in the flight control computer. Today’s digital 
filtering technology would probably enable more effective compensating for fiexibility 
components of the acceierometer signal, so as to take advantage of load relief control without 
the detrimentai effects. 

Operations versus Vehicle Performance 

There is a tradeoff between maximum performance and maximum operationai 
efficiency. If we design to optimize payload performance or other measures of physical 
performance of a vehicle, it is iikeiy to be highly tuned and sensitive to parameter variations 
and perturbations. Such vehicles are not robust and require much effort and cost to operate 
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safely. Historically, we have designed for performance, then dealt with the risks and 
consequences of a performance-based design through operational procedures. This 
approach comes at a high cost in operations. 

We should balance the vehicle performance to achieve robustness, reducing the risk 
and therefore the operational complexities. 

Solid Rocket Booster Water Impact / Recovery 

The decision to recover and reuse parts of the Shuttle Solid Rocket Boosters is an 
example of a different type of trade and balance activity. The overall decision involved many 
technical and cost factors, and eventually was based on a probabilistic prediction of the 
attrition rate. Ascent payload delivery capability was affected by the mass of the recovery 
system including parachutes. Reusing the SRB’s entailed development of recovery 
methodology, on-board systems, recovery vessels and infrastructure, refurbishment and 
inspection process, etc. [Nevins, 1975] 

One aspect of this development was the prediction of what damage can be expected 
upon water impact. There are several events related to water impact that produce major 
loads on the SRB, as illustrated on Figures 6-7 and 6-8: (1) the Initial splashdown causes 
large loads on the nozzle and aft skirt, (2) the air cavity created by the splashdown collapses 
and the water slams the aft part of the case, (3) maximum depth penetration creates 
hydrostatic loads, (4) the SRB buoys up vertically, then slaps down horizontally, creating 
side-loads on the forward part of the case. Any of these events has the potential to damage 
the hardware. 



Figure 6-7. Significant Loading Events for SRB Water impact 
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Figure 6-8. Typical Initial Water Impact Dynamic Events 


There was a large amount of scale-model drop testing done during the development of 
the recovery system, along with some fuli-scale testing. There were trade-offs for parachute 
sizing and assessment of sea state probabiiities, aiong with economic anaiyses to assess the 
cost benefit of recovering and reusing the hardware. The conclusion reached was that 
booster recovery and reuse wouid be cost effective if there were no more than 2% attrition of 
the hardware due to recovery damage. So there was a probabilistic baiance-point, or target, 
for the recovery system design. The initial desire was to not modify the ascent SRB design 
for any recovery ioading events, but to accept whatever attrition would occur. However, 
because the actual cavity-collapse loads were consistently higher than predicted, a design 
modification was made to strengthen the aft segment. Whiie one pair of SRB’s were lost 
because of a parachute triggering device malfunction, there have so far been no SRB’s lost 
because of the probabilistically-defined variabies such as sea states, parachute deployment 
conditions, etc. A major advantage of recovering the SRB’s is the ability to inspect the 
recovered hardware and determine its post-use condition. This has proved important in 
determining actuai margins (such as for thermai protection) and reveaiing incipient probiems. 
[McCool, 1991] 

Vehicle Reliability Versus Engine Reliability 

Another act of balancing has to do with the trade of vehicle reliability versus engine 
reliability and the number of engines. Here we are trading engine reliability for vehicle 
reliability particulariy in man-rated systems where we want engine out capability for abort. If 
each engine has the same reiiabiiity regardiess of its size, the vehicie reliability is highest if 
the vehicle uses a single engine. But a single engine wouid imply high thrust, and high thrust 
engines tend to be more unreiiable. Smaller engines have higher individuai reliability, but the 
need for multiple small engines can reduce the overaii vehicle reliability. This is illustrated by 
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on Figure 6-9. Reliability numbers in the figure are for illustration only and do not represent 
actual systems. As an additional consideration, a vehicle with multiple engines may be 
designed to allow engine-out capability as a safety measure for crew survivability or mission 
continuance. Airlines have dealt with this issue extensively and had difficulty for a number of 
years getting certification for twin engine versus four engine planes. They had to show a gain 
in engine reliability and the ability to fly on one engine to sell the approach. 

Systems Reliability vs. Engine Reliability 

® Generally, the smaller the number of engines on a vehicle, the 
less likely an engine failure will be experienced during a 
mission. 

® But, iowering the number of engines requires higher thrust 
engines, which can reduce the individual engine reliability. This 
entaiis a tradeoff. 

<-> Designing for capability to safeiy abort (or even compiete the 
mission) after experiencing an engine faiiure can significantiy 
increase crew safety / mission success. 

Examp/e: 


Single Engine 
Reliability 

Two Engines - 
None Out 

Three Engines - 
None Out 

0.95 

0.903 

0.857 

0.97 

0.941 

0.913 

0.99 

0.980 

0.970 

0.999 

0.998 

0.997 


Three Engines - 
One Out 

0.993 

0.997 


0.9997 


0.999997 


Figure 6-9. Systems Reliability versus Number of Engines 


X-33 Aerodynamics and Controllability 

Balancing the X-33 single stage to orbit launch vehicle was a major challenge. X-33, 
being a singie stage to orbit vehicle, had to balance between the ascent and reentry 
aerodynamic characteristics. Ascent controiiability and ioads had to be baianced with reentry 
and ianding controliabiiity. Soiving this balancing act took 1 ,000 hours of wind tunnel tests in 
the MSFC tunnel. There was an approximate 9 months hit in the vehicie development 
schedule required to soive this design set of trades. [David, 2001] 

The above exampies have iiiustrated the muiti-dimensionai nature of balancing that is 
required for the design process. There is balancing among all aspects of the system: 
subsystems, design functions, discipiines, performance, the -iiities, fiight phases, iife-cycle 
costs, and more. 
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® A key message from Lesson 6: 

Balancing Required Among All Aspects of System: 

- Subsystems 

- Design Functions 

- Disciplines 

- Cost / Performance / -ilities 

- Flight Phases 

- Life-Cycle Expenditures 


Principle IV: The System is Governed by the Laws of Physics 

In this section we deal with the iessons associated with fundamentai technicai 
principles. In dealing with these principles, it is not impiied that there are not other technicai 
lessons; in fact most of the remaining iessons are of a technicai nature. What we are doing 
here is deaiing with four of the very high ievei technicai lessons necessary for successful 
products. The four lessons for this principie are: 

7. Physics of the Problems Reigns Supreme 

8. Engineering is a Logical Thought Process 

9. Mathematics is the Same! 

10. Fundamentais of Launch Vehicie Design Deal with Baiancing Efficiencies 


Lesson 7. Physics of the Problems Reigns Supreme 

<> The Physics (Mother Nature) of the probiem reigns supreme (The God of 
Design). Either you bow down to Her or you wiii faii down. 

"Mother Nature does not read our paper. If we don't follow her way, she lets us 
fall" 

Eii Understanding the Physics is cruciai. 

Eii Designing using unreaiistic assumptions resuits in program faiiure. 

Eii Technologies must be fuiiy verified before use. Verification as you fly 
increases risk and cost. 

Eii Independent analysis is a great approach to risk identification ieading to 
subsequent mitigation. 

E'3 The quaiity of the technicai features determines project success. 
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Designing a product optimistically--in other words, thinking that you can bypass “the 
physics of the problem”--will lead to failure. Physics will always win. As a result we must 
develop means of enhancing “Critical Thinking” in order to always fully understand the basic 
physics of the product. In addition as stated in the corollaries, we need to utilize other 
avenues to enhance our understanding. It is standard practice to assume unrealistic or too 
optimistic requirements. These must be challenged and brought into the realm of reality. The 
tendency is to baseline new technologies before they have are matured and verified. 
Technologies should be understood, matured and verified before incorporation in a product. 
Developing technologies in parallel with development and manufacturing is a high risk 
approach and is not prudent. Independent analysis and open inquiry are good techniques for 
assuring understanding of complex space systems. Lessons Learned should be brought to 
play in all phases of a products lifecycle. Finally “the quality of the technical features” 
determines the product success. 

The following examples will be discussed to illustrate the lesson. 

• SRB Aft Skirt Failure 

• Skylab Loss Of Thermal Shield / Solar Array 

• SSME Turbine Blade Cracking 

• SSME Duct Bellows 

• SRB Reentry Acoustics 

• Heating Impacts 

Space Shuttle Aft Skirt Failure 

The Structural Test Article structural qualification of the High Performance Motor 
resulted in a failure of the SRB aft skirt at a safety factor of 1 .28 (versus the required 1 .4) in 
the hold-down post region. As a result the SRB Aft Skirt flew for many flights with a waiver 
before installation of a fix. The problem is a very complex load path situation that occurs due 
to the vehicle weight and SSME thrust-induced loads bending the vehicle over the outer SRB 
posts. The SRB skirt angle transfers these longitudinal loads into a lateral and longitudinal 
load situation causing the skirt skin to bend against the hold down post where it is welded to 
the hold-down post as shown on Figure 7-1. [Townsend, 1998] 
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* The SSME thrust bends 
the vehicle over the 2 
SRB Holddown posts, 
putting a compressive 
load into the skirt. 

* The skirt flare angle 
creates a horizontal 
component of the thrust, 
pushing the post 
outward, putting a 
bending moment in the 
weld, which led to a 
test failure at a safety 
factor of 1 .28 vs. the 
required 1.4 


Figure 7-1. SRB Aft Skirt Failure at the Holdown Post Weld Area 

Figure 7-2 shows the magnitude and distribution of the stress introduced by the ioad. 
The figure beiow is a linear analysis that indicates the peaking of the stress but not its real 
amplitude. The actual stress of the weld was highly nonlinear and requires a noniinear 
analysis and speciai materials characterization to understand the issue. As a resuit of the test 
failure of the SRB aft skirt, the Space Shuttle flew the skirt under waiver through fiight 86. 
Fiying with a waiver required constant monitoring of the loads on each flight, special 
inspections and speciai anaiysis in order to fly the system safely. This required approximately 
5 equivalent full time engineers to accompiish. At that juncture in the program a fix was 
instituted, gaining back the margins and removing the waiver. 


POST 7*8 EFFECT OF RADIAL LOAD F>OST 8 



II 50% RADIAL * m% RAOIAt. * I RADIAL 

Figure 7-2. SRB Aft Skirt Stress Distribution 
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X-33 Shortfalls 


X-33 was a scaled model technology demonstrator for a single-stage to orbit launch 
vehicle scaled at 40% of anticipated full size SSTO. The goal of the project was 
demonstration of the critical technologies - mass fraction, metallic TPS, integral shape 
composite fuel tanks, aerospike main engines, coupled ascent and reentry aerodynamics and 
control systems, and simple low cost operations. Demonstration of TPS needed trajectories 
that reached a Mach number of at least 18. The mass fraction requirement needed to be 
demonstrated at approximately 0.9 in order to say you could extrapolate to full scale. 

Major shortfalls were the following: 

1. Weight growth precluded reaching orbit / Weight growth limited Mach number needed to 
verify TPS and didn't demonstrate acceptable mass fraction. 

This shortcoming had to do with large mass growth to solve tank problems, aerodynamic 
problems, and was limiting the achievable Mach number to 12 or less. This was hampering 
the ability to verify the TPS. The same mass growth was pushing the mass fraction to around 
0.85 making it nearly impossible to extrapolate the results to full scale. 

2. Missed coupling of aerodynamics and control (Uncovered in wind tunnel testing). 

During wind tunnel testing it was found that the ascent and reentry aerodynamic 
characteristics were in conflict requiring a reorientation and resizing of the canted fins. It took 
1 ,000 hours of wind tunnel testing to reach a compromised solution that ended up with some 
undesirable reentry and landing response and higher loads and performance loss during 
ascent. 

3. Composite integral fuel tank failure 

The integral composite fuel tank failed during verification testing. See Lesson18 for details. 
This failure ended up with the cancellation of the X-33 program. 

Gravity Probe A - Redshift 

If a spinning object has internal energy dissipation, it will orient itself so that the spin is 
about the axis of maximum moment of inertia (e.g., a long cylindrical object will flip into a flat 
spin). The initial design of the GP-A spacecraft was spun about the axis of minimum moment 
of inertia, and it had internal fluid (ammonia for the thermal system) that would slosh. The 
problem was recognized before launch, and the internal components were repositioned to 
make the moment of inertia maximum about the spin axis. The mission was successful. 
Figure 7-3 illustrates the phenomenon where the figure on the left Is spinning about its 
minimum axis, while the figure on the right is spinning about the maximum axis and is stable. 
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Gravity Probe A (Redshift) 



UNSTABLE STABLE 


• If a spinning object has internai energy dissipation, it wiil orient 
itself so that the spin is about the axis of maximum moment of 
inertia (e.g., a iong cylindricai object wili fiip into a fiat spin). 

• The initiai design of the GP-A spacecraft was spun about the 
axis of minimum moment of inertia, and it had internai fiuid 
(ammonia for the thermal system) that would slosh. 

• The problem was recognized before launch, and the internal 
components were repositioned to make the moment of inertia 
maximum about the spin axis. The mission was successful. 


Figure 7-3. Model Illustrating Effects of Spinning About Minimum and Maximum Axes 

of Moment of Inertia. 


Aerodynamic Venting Failures 

There have been at least three similar venting incidents in the history of space flight. 
Two resulted in the loss of the vehicles and one crippled the payload. Those lost were the 
Atlas-Able-Pioneer (1959) and the Atlas-Centaur (1966). The one crippled was the Saturn 
Skylab (1973). The similarity in these incidents was that each had a shroud that came off 
during the transonic flight regime. In the first two incidences, the understanding of the flow 
physics was not known. Had it been known, the shrouds would have been designed so that 
they would have been under crush loads; however that was not the case. They were 
unknowingly designed so that during transonic flight the shroud load was a burst load that 
resulted in failure. These failures could have been prevented had the shrouds been 
adequately vented. 

In the case of the Saturn Skylab an auxiliary tunnel was not adequately vented. The 
venting analysis was predicated on the assumption that the tunnel would be completely 
sealed at the aft end, but the aft end as manufactured was not sealed. The openings in the 
aft end were a result of lack of “technical integration.” The fact is this critical sealing 
requirement had not been communicated between aerodynamics, structural design, and 
manufacturing personnel, see [Lundin, 1973]. Furthermore, “system engineering” was not 
adequate. There was no dedicated project engineer and that resulted In lack of effective 
integration. 
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Figure 7-4. Saturn Skylab Solar Array System (SAS) 


Shown in Figure 7-4 is the Skyiab SAS. The first figure shows the system as it shouid 
have been deployed. In the middle figure, the destructive liftoff of the auxiliary tunnei as a 
result of the transonic fiow induced burst ioad can be seen. The figure on the right shows the 
unwrapping of the micrometeoroid shieid that was aiso a thermal shield. While the vehicle 
was not lost, the payload was crippled. However, eventually, a sun shield was added for 
thermal protection and the mission was saved. Saving the Skyiab was a compiex process 
that required two mission EVA activities. Ground and sateilite pictures showed the damage 
and what had to be accomplished in order for the spacecraft to be operationai. They showed 
that one of the soiar arrays was destroyed and the other was jammed with parts from the 
failed structure. Also it showed that the thermal shield was destroyed resulting in high 
temperatures within the iiving quarters etc. The first crew carried cutters for unleashing the 
jammed soiar array and a parasoi that could be installed through a scientific iock. Unleashing 
the jammed solar array required an EVA activity for the crew that had some risks due to the 
dynamics of the reiease of the partially deployed array when the jamming strut was cut. 

These two activities were performed and the first crew then compieted the science part of the 
mission after they had activated aii the systems of the Skyiab and the Apollo Telescope 
Mount. The temperature within the workshop was higher than desired by the crew so on the 
next fiight a iarger thermai shieid was deployed. This required another EVA to first install the 
two long telescoping poies from the ATM aiong the workshop. Once they were installed then 
a new thermal shield was installed on the poles covering the shield from the previous fiight 
and a much larger area of the workshop. This fixed the temperature probiem. The oniy 
remaining issue was the limited power restoration ability of having oniy one solar panel 
instead of two. This was handled by mission event pianning and then the remaining missions 
were very successful. See Figure 7-5 for the first fix and Figure 7-6 for a picture of the finai 
configuration. 

This in-fiight anomaiy was a result of failures in both technicai integration and systems 
engineering. Aii the requirements were not communicated. In reference, [Augustine, 1983], 
there are fifty-two laws (Augustine’s Laws). The forty-fifth law states, “One should expect that 
the expected can be prevented, but the unexpected should have been expected.” 
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Shield 1 


Sequence of parasol deployment, (a) Parasol operation 
from interior of airlock, (b) Parasol at partial extension, (c) 



Full extension and partial deployment, (d) Fully deployed 
and retracted for service. 


• Inadequate venting of the 
Solar Array container 
during ascent destroyed 
one solar array and the 
Workshop insulation. 

• On-orbit installation of 
thermal shields by the 
astronauts was required 
during first mission 
occupancy. 

• Initially a parasol was 
deployed through a viewing 
port, with a larger shield 
deployed on the second 
mission. 


Figure 7-5. Skylab Initial Thermal Shield Deployment 



Figure 7-6. Final Skylab Configuration with Second Thermal Shield Deployed 
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SSME Fatigue Issues 

The high performance of the SSME coupled with the high power density, discussed in 
the earlier section on the challenge of space travel, created many fracture and fatigue 
problems. [Ryan, et al, in Chaffe, 1983] The high pressure turbo pumps turbine blades is 
one classical example. There were two types of fatigue experienced in the SSME program: 
(1) Low cycle fatigue, (2) High cycle fatigue. The low cycle fatigue is introduced by the cycle 
between low and very high pressures and temperatures. At maximum operating conditions 
the temperature is 1800 R and at shutdown the pump is purged with low temperature 
gaseous nitrogen. The fuel pump with its preburner is about 3’ long, weighs 750 pounds and 
rotates about 30,000RPM, generating 70,000 HP. Each turbine blade, about the size of a 
man’s thumb, generates 550 HP. As the turbine spins, the driving gas is guided with vanes, 
which creates a fluctuating pressure on the each blade as it passes each vane. This 
introduces vibration in the blade that leads to high cycle fatigue. 

The fix for the high cycle fatigue was to install a damper between the blade platform 
and the wheel it is mounted in. During the test where the failure occurred the gold plating 
used on the damper to eliminate hydrogen effects failed and the blade damper became 
ineffective. The fix involved disallowance of platings on the damper. No additional problems 
occurred with this blade during the tenure of the Rocketdyne pumps on Shuttle. Figure 7-7 
shows the fuel pump blade; Figure 7-8 depicts the LOX pump blade that had a low cycle 
fatigue problem. The low cycle fatigue was caused by the thermal cycling the blade 
experienced in going from a very high operating temperature to ambient temperature during 
shutdown. The crack growth phenomenon was controlled though Inspections, ground test hot 
fire history and the application of the 50% fleet leader rule. This rule says that no part can fly 
on a Shuttle mission that does not have twice the time on two identical parts In ground tests. 
This rule has been applied to all critical SSME parts and components. 


• DESCRIPTION 



• HIGH CYCLE FATIGUE 

• STAGE 1 PROPAGATION 


• CAUSED BY DAMPER / BLADE BONDING 
• NON-PRODUCTION CONFIGURATION 


• RATIONALE FOR ACCEPTANCE 
• ELIMINATED BY DISALLOWANCE 
OF PLATING ON DAMPERS 


Figure 7-7. Fuel Pump Turbine Blade High Cycle Fatigue 
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» UPDATED - FIRST STAGE 

• NONCRITICAL 

• INTERGRANULAR & TRANSGRANULAR 

• LCF - THERMAL FATIGUE 

• RADIAL ORIENTATION 
•<0.022 IN. DEEP 

• RATIONALE FOR ACCEPTANCE 

• SELF LIMITING BEHAVIOR 

• ACCEPTABLE FRACTURE 
MECHANICS ANALYSIS 

• CRITICAL INITIAL FLAW SIZE = .034’ 

• ENGINE EXPERIENCE 

• DISASSEMBLY INSPECTION 

• SPEC CONTROL 

• LIMIT BY FLEET LEADER RULE 


Figure 7-8. LOX Pump Turbine Biade Low Cycie Fatigue Probiem 


There have been many technologies tried, some with success, to solve the problem of 
a blade operating in such an extreme environment. Various materials, in conjunction with 
growing the blades as single and double crystals have been developed and used; however, 
operating in these extreme environments will always be a complex and daunting challenge. 
Sensitivities, uncertainties and risk are means whereby mitigation approaches such as the 
50% fleet leader rule are developed to ensure mission success and flight safety. 


Low Pressure Fuel Duct Bellows Failure 

The low pressure fuel pump on the SSME is connected to the high pressure fuel pump 
by a duct that has three bellows, see Figure 7-9. This duct design enables the SSME to 
execute gimbal motion during static testing and ascent flight. 



RS008961 Failed Bellows 


Figure 7-9. Beliows Flex Joint 
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The flex-joint is composed of a flexing beiiows that is rigidiy attached to the ducts on 
each side of the beiiows. Internally this is accompiished using a gimbaiing tripod as shown on 
Figure 7-10. The propellant flow across the gimbal causes it to vibrate, fatigue, and crack as 
indicated on the figure. 



Figure 7-10. Flex Joint Internal Tripod Tie 


During static testing of engine 2206, the RS008961 beiiows failed due to a high cycle 
fatigue crack that initiated at the inner radius of tripod leg 1 . When the tripod separated, it 
produced projectiies that traveled downstream and impacted the fuel duct wall causing a 
hydrogen leak, see Figure 7-1 1 . 



Figure 7-11. Bellows Failure and Duct Rupture 
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The test history associated with this duct was: 90 starts, 31 ,853 seconds, and 19.54 
equivalent gimbal cycles. The fleet leader had 36,1 14 seconds of hot fire. Subsequent 
investigation revealed the fatigue cracking started at the inner dogleg radius as a 
consequence of missing a drawing requirement. This radius was found to be significantly 
smaller than specified by the drawings. At the failure location the cross-section was machined 
incorrectly to an area smaller than specified. Thus the failure was attributed to 
misinterpretation of drawings, inadequate manufacturing, and inspection procedures. 

The corrective actions included revising drawings to clarify dimensioning of the cross- 
sectional area and procedures were revised to inspect the tripod geometry during final 
assembly and subsequent welding. As a result of this and other failures of this type, the 
SSME and Shuttle project has adopted a 50% fleet leader rule for the engine parts as 
discussed previously. This approach has been very successful since there have been no 
SSME flight failures. 

Solid Rocket Booster Reentry Acoustics 

During reentry of the SRB after it boosts the Space Shuttle, its trajectory exhibits 
random characteristics with the angle of attack varying from 96 to 180 degrees and with the 
dynamic pressure varying from 360 to 1 ,020psf for a 95 percentile envelope at a reentry 
Mach number of 3.5. During the design phase, pressure fluctuations of 189dB were predicted 
on the nozzle extension and later verified in wind tunnel tests. It was initially thought that 
these high levels would have a severe effect on the SRB nozzle. To mitigate any adverse 
effects, the nozzle extension was severed at apogee. Shown in Figure 7-12 are wind tunnel 
results at a Mach number of 3.5 without the nozzle extension. 

- FLIGHT HEAT SHIELD 
NO HEAT SHIELD 



ANGLE Of ATTACK - DEGREES 


Figure 7-12. SRB Reentry Fluctuating Pressure Leveis without Nozzle Extension 

It can be seen that without a nozzle extension the overall fluctuating pressure levels 
(OAFPL) are significantly below 189dB. In addition, having a heat shield reduces the levels. A 
description of the reentry trajectory, wind tunnel testing, and scaling is provided in reference 
[Schutzenhofer et. al., 1979] 
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The effect of the having high OAFPL’s on the system was not understood. It was 
decided to instrument the SRB with dynamic pressure transducers to measure the levels with 
the nozzle extension on. Shown on Figure 7-13 is the OAFPL on the nozzle extension 
through the reentry. These are root-mean-square (rms) values converted to decibels as 
function of time. The oscillatory variations are due to the oscillatory variations in angle of 
attack. It can be seen that there were high levels (>190dB) as predicted and measured in 
wind tunnel testing. However, there was no dynamic tuning with the structure or 
electrical/hydraulic components. Thus while the OAFPL’s were high, their effect was benign 
and the project decided to sever the nozzle at different time during reentry. 

In this case, the unknown aero-acoustic event was anticipated! The project 
implemented a fix to mitigate potential effects of the high fluctuating pressure levels. Even 
though the OAFPL’s were high, the fix was eventually changed since the response of the 
structure and electrical/hydraulic components was benign. 



Figure 7-13. STS 6 Aft Nozzle OAFPL with Nozzie Extension 


Plume / Base Flow Heating 

During the first Jupiter flight there was an in-flight anomaly where burning in the base 
of the vehicle resulted in loss of vehicle. The root cause was entrainment and burning of gas 
discharged from the turbine of the Rocketdyne A-7 hydrocarbon engine. 

Shown in Figure 7-14 is the Jupiter 1 in flight. The figure on the left is early in flight 
where the pressure in the base is lower than free stream static pressure (atmospheric 
pressure). The smaller stream of gas, seen in the base, is the fuel rich turbine exhaust flow. 
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The interaction of the base flow and the plume is benign. The figure on the right is prior to 
loss of vehicle at high altitude. In this situation the interaction of the plume and base flow is 
significant. The pressure in the base is higher than that of the free stream pressure. The 
turbine exhaust gas was unexpectedly entrained and recirculated in the base where the fuel 
rich gas ignited and burned in the base region resulting in loss of vehicle. A heat shield was 
added to mitigate effects of base burning. 



Figure 7-14. Jupiter 1 Base Fiow 


The illustration in Figure 7-15 shows a comparison of a flow field at low altitude to that 
of one at high altitude. It can be seen that at low altitude where the pressure in the base is 
lower than the free stream pressure, the flow is aspirated through the base area. However, at 
high altitude, where the free stream pressure is lower than the base pressure, the flow field in 
the base is reversed with hot gas from the plumes being recirculated increasing the thermal 
environment. 





Flow Aspiration (low altitude) 

Figure 7-15. 


Flow Reversal (high altitude) 

Plume Induced Base Flow Field 
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other vehicles have also experienced significant plume induced separated flow. 
Shown on Figure 7-16 below are the plume flows for the Space Shuttle and Saturn Apollo. In 
the case of the Space Shuttle the plume flow was expected but the effects were under 
predicted. This resulted in unexpected loads that required fixes that cost 5000 pounds of 
payload. In the case of the Saturn, the plume size and shape were unexpected; however, 
there were no significant impacts to the vehicle. 



Figure 7-16. Space Shuttle and Saturn Apollo Plume Flow 


® A key message from Lesson 7: 

Our Systems Are Governed by the Laws of Physics - 
You Can’t Wish it Away, 

You Can’t Analyze It Away, 

You Can’t Ignore it. 

Lesson 8: Engineering is a Logical Thought Process 

® Engineering is a logical thought process, not a collection of computer codes. 

Learn to think; use the computer to enhance the thought process. 

Engineering is based on the laws and principles of physics; therefore, engineering and 
engineering design is a logical process that considers the various options available within the 
constraints of the applicable principles. The basic skill required is the ability to think in terms 
of the principles in a logical manner. Computers, tests, analysis are therefore tools that 
provide information for the human mind to accomplish the design. There are many examples 
in space history that can be used to illustrate the lesson. The SRB aft skirt problem was 
discussed previously; two will be discussed here. 
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The following examples will be discussed to illustrate the lesson: 


• Saturn V Sloshing Computer Program. 

• Space Station Node Gusset 


Saturn V Sloshing Computer Program 

During Saturn V development, propellant sloshing was a major concern. Tools for 
analyzing the interaction of the vehicle, the vehicle control system and propellant sloshing 
were in a state of development. While laboriously checking out the program to compute 
sloshing dynamics using computer priority, we kept making program changes due to errors 
found, which required new punched cards and card assembly. The computer operator finally 
asked Robert Ryan, “If you know the answer why are we running the program?” He replied, 

“If we didn’t know the answer we should not be running the program.” In other words we need 
to know the physics of the problem so that we can continuously check the computer program. 
Computer programs only give you what you ask them to. This check is made using simplified 
equations and back of the envelope calculations in terms of the basic physics of the problem. 
Helmut Horn, our early German supervisor, would make you go to the blackboard and show a 
simple model of the more complex model being discussed. He said that if you couldn’t 
explain it in simple terms you did not understand it. He wanted you to use that same model to 
check out the computer results or even someone else’s work or presentation. 

ISS Node Load Paths and Common Berthing Mechanism Fretting 

The ISS Node (Figure 8-1) had two major problems during development. The first had 
to do with the berthing ports gusset yielding during proof testing. The second was the galling 
of the common berthing mechanism during berthing simulations. 



Figure 8-1. iSS Node Showing Berthing Ports and Gussets 
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The gusset yielding was found in the proof pressure testing and was a classic load 
paths problem created by trying to save weight and not understanding the primary load paths. 
The hoop stress was all dumped into the two gussets installed on the radial sides of the 
berthing port. Understanding load paths is critical to the design of structures. Pugh has 
written articles and has sections in his books on designing for load paths. [Pugh, 1991] Load 
paths are one of the basic physics of the design that must be adequately understood and 
designed for. 

The berthing mechanism was tested extensively on the 5 degree of freedom motion 
simulator at MSFC’s computational laboratory. During test the mechanism would gall due to 
the unpredictability of the contact angle. This was a result of the fact that the berthing was 
accomplished using the remote manipulator system (RMS) which had no unique position to 
bring in the second body because of the multiple joint angle possibilities. This contact angle 
depended on how the RMS captured the second body and its position relative to the station. 
The problem was solved once the total motion possibilities were clearly understood (initial 
conditions) and it has performed flawlessly during ISS missions. [Ryan’s working papers] 

® A key message from Lesson 8: 

Engineering is a Logicai Thought Process 

Instead of Blindly Applying Processes and Codes 

• Think Critically 

• Understand 

• Explain 


Lesson 9: Mathematics is the Same! 

® The mathematical expressions (describing equations) for our systems’ physical 
processes are the same. The difference is in the dimensions (units) and boundary 
conditions. 

The following mathematical categories illustrate the lesson: 

• Algebra and Geometry 

• Ordinary Differential Equations 

• Partial Differential Equations 

The fact that mathematics can describe the physical phenomena of nature is 
astounding. In addition the fact that mathematics, using the same forms, can describe all of 
the various areas of physics is even more astounding. Of course algebra and geometry is 
basic to all; however, the use of ordinary and partial differential equations is also 
foundational. Since the same form of the differential equations describe all the various 
disciplines then we can make analogies between the various disciplines, by just changing 
coefficients and units. This was the basis for the analog computer that many of us grew up 
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using to solve our equations. This also means that we can think in disciplines other than our 
specialties using this transformation. The basic message then is that we must be proficient in 
the use of mathematics while at the same time understanding the difference in the 
phenomenon that is being observed. We can use the similarities to a great advantage but in 
the end “the physics of the problem rules”. 


® A key message from Lesson 9: 

Learn the mathematics. It is the foundation of all analysis and modeling. 


Lesson 10: Fundamentals of Launch Vehicle Design 

® Challenges of launch vehicle performance 
® The fundamentals of launch vehicle design are: 

Eii Propulsion system efficiency 

Eii Structurai (non-propeiiant mass) efficiency 

Eii Managing the iosses 

The design of a launch vehicle is concerned with getting a payload to orbit in an 
effective and efficient manner. To design and operate a space launch vehicle one needs to 
understand the physical basics of the system. The essence of this lesson is the elements of 
that fundamental understanding: propulsion system efficiency, structural efficiency and 
managing the system losses. Overcoming gravity makes this a very challenging job as 
discussed in Lesson 3. To accomplish this task we must have highly efficient structures and 
propulsion systems and manage the losses in order to have a balanced system. The next 
section will discuss these fundamentals. 

Figure 10-1 goes into more detail of the elements of the fundamentals of launch 
vehicle design. The discussion in Lesson 3 illustrated the complexity and challenge of space 
flight. Figure 10-1 summarizes the basic characteristics of the challenge. Emphasized is the 
fact that the technical, propulsion and structural efficiencies and managing the losses must 
be balanced and traded with the programmatics of cost, schedule and the -ilities. This 
balancing between the programmatics and the technical is a major challenge in that what we 
do to reduce cost and schedule greatly affects the technical. The process is further 
complicated by the fact that the technical requires that the design get all the performance 
possible in order to overcome gravity etc. Figure 10-1 depicts representative but not complete 
lists of the characteristics of the three fundamentals of launch vehicle design. Notice that for 
mass efficiency the three elements of mass fraction, packaging, thermal protection system 
are some of the things you can manage to get mass efficiency. Each though has many 
subsets; for example, mass fraction contains structural configuration, materials, loads etc. 
Propulsion systems deal with at least the engine cycle, Isp and engine thrust to weight ratio. 
Again each of these would have many sub parts. Managing the losses includes the generally 
known parts such as gravity losses and expands into environments, etc. A big effort is 
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dealing with uncertainties and interactions. Uncertainties must be clearly defined starting with 
an initial set. These uncertainties are then burned down as the lifecycle is moved towards 
operations. Interactions are very complicated and must be analyzed and controlled or the 
losses get very high. Interactions not understood are one of the major causes of problems in 
any launch vehicle system. The classic ones such as flutter, whirl, pogo etc. must be 
designed out of the system. 


Launch Vehicle Fundamentals 

Design Factors 


Mass Efficiency 


Mass fraction 
Packaging 
Thermal Protection 
System 


Key Efficiency Issues 

-I— 


I 


Propulsion Efficiency 


L 


Losses 




Engine Cycle 
Isp 

(T/W)e^^ 


Design Complexity 


Number of Parts 
Number of interfaces 
Number of Manufacturing 
Process Steps 
Number of Failure Modes 


Additional design factors include 
the -ilities. cost & schedule 


Trajectory 

I Zy!?? 

M 


dt • losses 



AV 


Ideal 

- Gravity 

- Drag 

- Back Pressure 

- Thrust Vectoring 

- Turning 

Uncertainty » Margin 

- Aerodynamic Prediction 

- Natural Environments 

- Immature Technologies 

- Manufacturing Effects 
Discipline Interactions 

-Trajectory, Loads, Control, and Thermal 

- Structure/Control 

- Aeroelasticity 
-POGO 

Unknown Losses 

- Missed the Physics 

- Underestimated Uncertainties 

- Didn’t Think of it 


S07S72 gon2SU«ynp 6 


Figure 10-1. Balancing the Key Eiements of Launch Vehicle Design 


The following examples are used to illustrate the fundamentals of a launch vehicle 
design: 

• Launch Vehicle Efficiencies 

• Sensitivity Versus Performance 

• Historical Mass Growth 

• Typical Issues of Launch Vehicle Configurations 

Launch Vehicle Efficiencies 

The first example deals with the concept of balancing the efficiencies with the 
programmatics as shown on the list below. Early space system design was driven by 
performance and then assessed for the lllites/programmatic. When the illities/programatics is 
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placed on the design table with the first three principles, the balancing act of the design get 
very complicated. What is required is to develop functional relationships between the 
illities/programatics parameters and the design parameters of structures, propulsion etc. so 
that the design is a total system design. [Ryan, et al, 1977] For example If the system is not 
designed for cost in conjunction with the physical design one will never get minimum cost 
design. Accomplishing a total system design is one of the major challenges space systems 
design faces today. This will be further discussed in Lesson 17. 

Challenge is to Balance Between 


Performance . -ilities & 

snu 

Efficiencies Programmatics 


- Propulsion Efficiency 

- Structural Efficiency 
• Managing the Losses 


- Reliability 

- Operability 

- Cost 

- Schedule 


Sensitivity Versus Performance 

One of the techniques we use to accomplish design is developing and quantifying the 
sensitivities of the system to the design parameter variations. Figure 1 0-2 shows the 
sensitivity of a single stage to orbit launch vehicle gross liftoff weight to the structural mass 
fraction and the propulsion system Isp. Notice that we have put two lines on the graph to 
bound the problem. The first is a limit on gross liftoff weight that was estimated based on 
efficient size for operations. The second is the practical limit on Isp. This limit is 453 out of a 
possible 460 seconds for a typical LOX hydrogen engine operating at a 6.0 mixture ratio. 

As you can see there is only one design curve that lies well within the boundaries — 
that is for a mass fraction of .95, a value that is still unattainable. A 0.9 mass fraction has 
way too much sensitivity to Isp and is not practical as Is 0.89. The message of this chart is 
that because of the sensitivities, a single stage launch vehicle is not practical using today’s 
technologies. [Ryan’s working papers] 
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SSTO Gross Liftoff Weight (GLOW) Sensitivity 
to Specific Impulse (Isp) and Mass Fraction (MF) 


56,000 lbs to 100x100 nm @ 28.5 deg 



isp^ec) 


MF « Q8S 
-*-MF -Q89 
-A-MF -090 
MF -095 


Note: Mass 
Fractonis 
defined here 
as Wprop/ 
(Wcrop + 
Wd7) 
(No payload 
rxjuded) 


Figure 10-2. Effect of Isp and Mass Fraction Uncertainty Sensitivities on Vehicle 

Gross Liftoff Weight 


Figure 10-3 shows the sensitivity of launch weight to launch weight margin assumed 
initial design. Depicted using three different curves is the burn down of margin versus 
lifecycle. This plot is generic in nature and does not contain absolute values. 

Dry Weight Margin Sensitivity 
Impact of Design Phases on Sensitivity and Margin 

SSTO Example, 25k to LEO 



Figure 10-3. Launch Vehicle Dry weight Sensitivity to Dry Weight Margin 


Historical Mass Growth 


The reason we use dry mass margin initially is that history has shown that all space 
systems grow In mass as the lifecycle matures. The following list indicates factors in mass 
growth. 

• Experience shows that space vehicles have mass growth 

• Margins must be taken Into account early In design process 

• Technology exists to improve mass estimates 

- e.g. Vehicle Integrated Performance Analysis (VIPA) 

• Categories where mass growth has to be taken into account 

- Vehicle dry mass (vehicle stages and payload) 

- Propellant reserve 

• Primary causes for mass growth are 

- Improper definition of environments 

- Inadequate definition of subsystems 

- TRL not maturing as expected 

- Uncertainties not taken into account or controlled 

- Unknown unknowns 


Figure 1 0-4 shows a data base of historical mass growth in various programs. 
[Alexander, et al, 2002] It Is clear that initial design must account for this growth. The 
question then arises as to what is an acceptable mass growth margin and are there additional 
margins that should be used? A current practice for launch vehicles uses 15% on all new 
structure and 5% on all heritage hardware being used. In addition 15% performance margin 
is allocated to cover the losses discussed earlier and for program manger reserves for later 
unpredicted problems. 
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Historical Mass Growth (%) 
From ATP To Program Completion 


Space Vehicles and Stages Aircraft Other Space Hardware 


* Saturn I 


•X-20 

44 

•Centaur 

22 

S-l stage 

16 

•XB-70 

45 

•Thor 

5 

Interstage 

24 

•F4H 

15 

•Titan 1 

10 

S-IV stage 

16 

•F101 

7 

•Titan II 

2 



•F3H 

-4 

•Titan III 

-1 

* Saturn V 


•DC^ 

6 

•Mercury 

28 

S-IC stage 501 

7 

•DC-9 

7 

•Gemini 

18 

S-ll stage 501 

32 

•C-131A 

1 

•Apollo, Inert 

22 

S-IVB stage 501 

33 

•F-102 

29 


* Space Shuttle 


•F-111 

23 

Average 

13.4% 


•Frtoe 

4 

Inert SRM (w/o DFI) 

6 

•Concorde 

26 



Inert SRB {w/o DFI} 

13 





SRB Subsystems (w/o DFI) 

43 

Average 

16% 



ET, Standard, Inert 

10 



Orbiter 

27 





•Inertial Upper Stage 






lUS (2 -stage, dry) 

11 





lUS ASE 

122 





*X^3 

57 


Overall Average 2 1 % 


•X-37 

25 





Average 

29.5% 






Figure 10-4. Historical Mass Growth of Space Systems 


Typical Issues of Launch Vehicle Configurations 

Depicted on Figure 10-5 is a list of other design complexities that can lead to weight 
increases and system complexities that must be understood and considered in design. 
Dynamic tuning of any multi-body configuration usually has large sensitivities of the dynamic 
response to events such as liftoff and gust response thus must be clearly understood and 
characterized. The same is true for all load paths and unsymmetrical geometries. Major 
interactions between subsystems, disciplines etc. are key drivers that are the source of many 
problems and therefore must also be characterized and designed out where possible. One 
principle is stated as: “The simpler the loads paths, in general, the more reliable the system.” 
TRL levels of each element should be verified before incorporation into a design. Designing 
for robustness is nearly always a plus. Depth of analysis is determined by the system 
complexity and sensitivities. 
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Typical Issues of Launch Vehicle Configurations 


1. Static unsymmetrical coupling 

2. Dynamic coupling (symmetrical and unsymmetrical) 

3. Load paths 

4. Subsystem and discipline interactions 

5. Subsystem optimization / TRL 

6. Analysis depth / iterations / verification 

7. Operability 

8. Flexibility / Robustness 









Figure 10-5. Additional System Considerations for Launch Vehicle Design 


<> A key message from Lesson 10: 

Challenge Is to balance between performance efficiencies and -ilities and 
programmatics 


Principle V: Robust Design is Based on Our Understanding of 
Sensitivities, Uncertainties, and Margins 


In the design of complex systems with high power densities there are aiways top levei 
requirements, constraints, ground ruies, and assumptions that set the stage for 
accomplishing the design. It is the designer’s chaiienge to figure out how to strike balance 
among them. Included in the art of design is knowing how to apply sensitivities, uncertainties, 
and margins to achieve the best baianced design with confidence. Sensitivity anaiysis is a 
key tool to achieve the best balance among the design’s attributes by assessing the changes 
in the attributes in term of changes in the design variabies. This is accomplished by 
understanding the sensitivity factors (partial derivatives). It enables the designer to iterativeiy 
converge the design and invoives the appiication of anaiysis, test, and simulations. 
Uncertainty pertains to random variations in design input variabies at aii ievels and the 
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corresponding random variations in the design attribute (outputs). These variations are about 
mean values and are determined via historical data bases, tests, and expert opinions. Margin 
pertains to the difference between some measure of capability and some measure of 
demand. Understanding uncertainties and application of adequate margins throughout the 
various stages of the project provide the necessary confidence in the design of systems with 
high power densities. 

The following are lessons related to this principle: 

1 1 . Robustness 

12. Understanding Sensitivities and Uncertainties is Mandatory 

13. Program Margins Must Be Adequate 

Lesson 1 1 : Robustness 

Strategies that enable robustness 

Eii Design for simplicity, number of parts, joints, interfaces etc. 

Eii Design structures for simplicity of load paths 
E3 Get the joints right 

Eii Don't overlay complexity with complexity in solving problems or 
issues. Overlay complexity with simplicity. 

The goal of design is to achieve the best balanced design in consideration of all 
requirements, constraints, etc. At the same time, the design needs to be robust. Robustness 
can be defined as follows: 

1 . A robust design is one where the response of the system is inherently insensitive to 
perturbations. 

2. A robust design is one where the response of the system can be sensitive to 
perturbations, but can be adequately managed. 

Robustness can be achieved by applying simple strategies; the following are some 
examples of those strategies. For instance, design for simplicity, minimum number of parts, 
simple joints and interfaces, etc. The original fuel turbopump housing on the Space Shuttle 
Main Engine (SSME) had about 469 welds and 315 were uninspectable and sections of the 
housing were sheet metal. The bearing material was 440C steel. When the alternate 
turbopump was designed the housing consisted of investment castings that eliminated welds 
and sheet metal. The bearing material Is silicon nitride and the rotating assembly has about 
half the number of parts as the original design. Another design goal would be to simplify load 
paths. This would reduce stress concentrations and reinforcing substructures; thus, less 
weight. In addition, design joints so that the loads are spread out instead of focused to a point 
that has to be reinforced. Finally, don’t overlay complexity with complexity in solving 
problems; overlay complexity with simplicity. To resolve rotordynamic instabilities in the 
SSME turbomachinery complicated design fixes were considered to stiffen the rotating 
assembly. However, a damping seal was implemented to stabilize the system. Application of 
the damping seal was simple In comparison to other approaches considered. 
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Examples: 


• Six Elements of Robustness 

• Saturn V Five Engines on the 1 and 2'^^ stages 

• Saturn V Structural Capability 

• Inertial Upper Stage (lUS) Robustness 

Six Elements of Robustness 

1. Margins/Tolerant Design 

Sometimes the general notion associated with robustness is “add more margin.” If that can 
be done without compromising the design in terms of safety, performance, cost, and 
schedule, then it’s appropriate. However, in some situations adding more margin will not be 
appropriate and other means will be necessary to achieve balanced design goals. 

2. Redundancy 

Redundancy can be illustrated in terms of the number of strings of avionics added to the 
system. For instance, assuming no common-cause failures, if one string has a reliability of .9, 
two strings will be .99, and three strings will be .999. If one string has a reliability of .99, two 
strings will be .9999, and three strings will be .999999. Thus, this simple example shows what 
is involved in achieving various levels of system reliability with redundancy. 

3. Simplicity 

Simplicity is one of the most important aspects of a wisely designed system. For instance, it 
is simple to design, analyze, test, and operate. Achieving balance through sensitivity analysis 
can be simple as well as assessing uncertainty and eventually determining risk. 

4. Desensitization to Parameter Uncertainties 

Uncertainties usually pertain to random variations in a quantity about a mean value. The 
attributes (outputs) of the design are affected by design variables (inputs) and other 
parameters. Since there can be random variations in the inputs and parameters; there can be 
random variations in the output variables. For small variations, the output variations are about 
equal to the sum of sensitivity factors multiplied by random variations of the inputs (could also 
include parameters with random variation). This is the basis for the root-sum-square (RSS) 
methodology. Since there is a product relationship (sensitivity times random variation), by 
reducing the sensitivity factor the variation in the output can be reduced. This is an approach 
toward determining, controlling, and managing variations in the design attributes (output). 

5. Control of Parameter Variations 

In some instances control of parameter variations is difficult. For instance, a way of dealing 
with random variations in the atmospheric winds has been to measure day of launch winds 
and fly the vehicle for suitable conditions. In structural design, controlling tolerances is an 
approach that enables the structural designer to control stress and deflection. In avionics, the 
variation in electrical components can be controlled by hand picking parts that fall within 
specified tolerance limits. In all these examples, it can be seen that controlling parameter 
variations can have a significant impact on cost. 
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6. Operational Procedures 

One of the goals of design is to minimize maintenance and operational procedures. In a 
generic sense, it would desirable to reduce the number of purges, electrical checkouts, 
change out of components and parts, number of fluids (Initially, Shuttle had eleven major 
fluids), etc. In the early days of Space Shuttle flights, the turbomachinery was removed after 
every flight to replace turbine blades and bearings at the cost of three million dollars per 
pump. The life time of the present high pressure fuel turbopump is 3354 seconds; this 
includes one acceptance test and five flights. At the present time there will be no rebuild of 
turbopumps since there are enough flight assets to fly out the remainder of the manifest. 

The above six elements and others are important factors that lead to robust balanced 
designs with minimal risk. They increase reliability and safety and reduce cost; they should 
be practiced through all stages of the design process and in operations. [Ryan, R., AIAA 
Paper 93-0974, 1993] 


Saturn V Five Engines on the 1®* and 2"'* Stages 

In the original conceptual design of Saturn/Apollo, there were four F-1 engines on the 
S-IC stage and four J-2 engines on the S-ll stage. There were concerns regarding the weight 
estimates of the Saturn/Apollo system. A decision was made to add another F-1 engine to the 
S-IC stage to provide margin. Then a radiation shield was inadvertently omitted in the design 
of the spacecraft and had to be added. To account for the added shield, the S-ll stage 
diameter was increased and a fifth J-2 engine was added. The addition of the fifth F-1 and J- 
2 engines provided margin that allowed for unexpected weight growth and future missions of 
the Lunar Rover and Skylab. 

The loss of the fifth engine on the S-ll stage during the Apollo 13 flight did not impact 
the mission. The other four engines burned longer to achieve the correct Insertion velocity. 

Adding these engines is an example of prudent design practice where margin enabled 
the moon landing, saved Apollo 13, and enabled Lunar Rover and Skylab. 


Saturn V Structural Capability 

The Saturn V composite design line loads are shown in Figure 11-1. The vertical axis 
is vehicle station in inches and the horizontal axis is the total structural load. It can be seen 
that the lower portion was designed by ground winds. (The term “designed by” means that 
the specified environment causes the maximum load event.) The interstages and upper part 
of the vehicle were designed by maximum product of dynamic pressure and angle of attack 
(qa) and rest of the vehicle was designed by 1®' stage cutoff. In addition, the safety factor is 
shown. 
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The design strategy used to develop these loads includes rigid and elastic body 
effects. This strategy was developed in the early design stages and resulted in a loads 
combination equation (LCE). This was an attempt to determine loads that would be equal to 
or less than the .99865 probability level. The Saturn V rigid-body loads strategy included: 1 . 
95% scalar wind speed (worst month), 2. RSS’d 99% wind gust and shear, 3. three-a 
variations on all response parameters, and 4. no wind biasing. The elastic body effects 
included three-a bending dynamics - turbulence. Additional margin was achieved during 
operations by flying with monthly mean biasing. 


Stalicn in fciches 



Total STuctural Loads 

Figure 11-1. Saturn-V Composite Design Line Load 


Strategies as shown above provided margin without compromising payload capability. 
In fact, it enabled the Saturn to be used for the Lunar Rover and Skylab. 


Inertial Upper Stage (lUS) Robustness 

The lUS is a highly redundant stage that can be commanded from the ground. It 
inserts payloads (-5000 lbs) into higher orbits (geo-sync) than primary boosters such as 
Shuttle or Titans. It operated from 1982 until 2004 that included 24 missions; 15 NASA and 9 
DOD. In addition, it was functionally redundant. Shown on figure 1 1-2 is a description along 
with some of its characteristics, see reference [Dunn, 1984]. 
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spacecraft separation plane 



Interstage 


Avionics bay 
(redundant components) 


Reaction control system 


Solkf-rocket motor 


Extendable exit cone 


Solid-rocket motor 


Thrust vector 
control actuator 


Length: 1 7ft : Diameter: 9.5ft 
Weight: 32, SOOIbs. 

Control: 3-axis stabilized 
Propellant: HTPB (hydroxyl terminated 

poly-butadine) solid propellant 

Propulsion: 2 Chemical Systems Division 
Solid Rocket Motors 
1st Stage Thrust: 45,600 lbs. 

Isp: 295.5 sec. 

2nd Stage Thrust: 1 8,500 lbs. 

I 3 P: 303.5 sec. 

Stage Contractor: Boeing 


Figure 11-2. Inertial Upper Stage and Characteristics 


The first stage boosts the second stage and payload into geo-transfer orbit and the 
second stage provides the energy to put the payload into a circularized geo-sync orbit. 

There were three incidents out of twenty four missions. Because of its ability to be 
commanded from the ground and being functionally redundant only one mission was lost. 
The three missions where there were incidents were: IUS-2, IUS-1 , and IUS-21 . Our 
experience was with IUS-1 and IUS-21 , and only those will be discussed. 

IUS-1 was flown on Space Shuttle STS-6 in 1983 and the payload was the Tracking 
and Data Relay Satellite (TDRS-1). During the IUS-1 second stage flight, a critical seal in the 
nozzle failed. The nozzle canted and locked up In the canted position and the control system 
lost its ability to position the nozzle and control the system. The lUS/TDRS tumbled for about 
half of the circularization burn and ended in a 13,579 by 21 ,980 statue mile orbit. While 
tumbling the lUS and TDRS were separated by ground command. Over a two month period 
the TDRS was boosted to the desired 22,300 mile orbit; it required thirty nine maneuvers and 
consumed 64% of the hydrazine fuel. 

Shown on Figure 1 1 -3 is a cross section of the second stage nozzle. Hot gas leaked 
through the Grafoil seal. The titanium housing of the Techroll seal got hot and the seal’s 
casing lost its material properties and burst under pressure. The seal collapsed and the 
nozzle shifted down and canted. To fix this condition for succeeding flights, the tack bonding 
of the Grafoil seal was eliminated. In addition, the seal’s density was increased along with 
removing the chamfer from its surfaces. [Chase, et. al., 1984] 
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Figure 11-3. Cross Section of I US Second Stage Nozzle 


The next example pertains to IUS-21 . It was flown on Titan IVB-27 in 1999 and the 
payload was Defense Support Program -19 (DPS-19). About six and a half hours after liftoff 
and when lUS was in the trans-geo flight the lUS initiated separation of the stages. The two 
stages did not fully separate and when the second stage fired the system tumbled into an 
unusable highly inclined elliptical Earth orbit. [Brinkley, et. al., 2008] 



Figure 1 1 -4. Sketch of lUS First and Second Stage 


Shown In Figure 1 1 -4 Is a sketch of the two stages in the unseparated state before the 
second stage was fired. The failure was a result of an electrical connector plug/jack and 
harness not disconnecting, preventing the two stages from separating. 

Investigation revealed that technicians wrapped thermal Insulating tape too close to 
the connector preventing stage separation; see the left figure in Figure 11-5. Technicians 
applied the thermal wrap according to the 1978 detailed operations procedures (DOP). The 
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DOP omitted unique requirements relating to the separation function, instead stated the tape 
should be applied within 0.5 inches of the mounting bracket flange. 




Figure 11-5. Electrical Harness as Built and Corrected 


There was a change in the DOP that stated: apply the thermal wrap no closer than 0.5 
inches and no further than 1 .0 inches from the mounting bracket flange, see the right figure in 
Figure 11-5. 

® A key message from Lesson 1 1 : 

Design for Robustness 

• Make system insensitive to perturbations and/or make the response 
manageabie 

• Stress simplicity in the design 

Lesson 12: Understanding Sensitivities and Uncertainties Is 
Mandatory 

® Determining system sensitivities leads to successful products. 

Eii Provides insights into design choices to achieve balance; 

(enables decision making) 

® High performance systems have high sensitivities and uncertainties; this 
complicates the design process (no small changes) 

<-> Incorporate appropriate philosophy and procedures for handling sensitivities 
and uncertainties throughout the process. 

Eii System sensitivities should be determined in conceptual design and 
evaluated throughout the design cycle 
Eii High sensitivities require more attention to design details; managing them 
leads to best design choices and reducing them reduces effects of 
uncertainties 
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Eil Uncertainties need to be determined for ali inputs/outputs associated with 
system design 

Eil Design must reduce uncertainties and provide appropriate margins 
E'3 in early phases of design, ensure that adequate margins are provided to 
cover the sensitivities and uncertainties of a specific vehicle, considering 
the immaturity of system definition 


Throughout the design of complex systems with high power densities numerous 
decisions are required to achieve the best balanced design. Sensitivity factor analyses 
provide insights in providing the best choices; thus enabling the best designs. For example, in 
the design of a liquid rocket vehicle system, the payload can be increased by increasing the 
engine specific impulse. Suppose a payload gain of 400 pounds could be achieved for a one 
second increase in engine specific impulse. Then for a 20 second increase in specific 
impulse, the payload would increase 8000 pounds. Thus the designer can decide how much 
to increase the specific impulse to achieve the payload requirement. In that decision process, 
the impact on engine design would have to be assessed along with other consequential 
interactive effects. In this example, the sensitivity factor would have been obtained through 
system performance analysis. In other situations, sensitivity factors can be also obtained 
through test or simulation 

High performance systems have high sensitivities and uncertainties which complicates 
the design. If a comparison is made between the design efficiency (power/pound) of a rocket 
stage and an airplane, the rocket stage is about two orders of magnitude higher in design 
efficiency. If compared to an automobile, the rocket stage is about three orders of magnitude 
higher. In consideration of uncertainty, one of the complicating factors in designing a launch 
vehicle is the uncertainty in the atmospheric winds. To deal with this uncertainty, the winds on 
the day of launch are measured to verify that conditions are satisfactory to fly. 

Sensitivities and uncertainties have to be determined and assessed through all stages 
of the design process. This requires attention to design detail to assess the best design 
decisions and potential for reducing uncertainty. In fact, uncertainty can in some cases be 
reduced by reducing sensitivities. Uncertainties can be determined from historical data bases, 
tests, and expert opinion. A major concern in design is determining the uncertainties in the 
output variables in terms of uncertainties in the input variables. Some of the methods used to 
assess uncertainty are root-sum-square (RSS) and Monte Carlo simulations. 

In the early phases of design it is important to ensure adequate margins are provided 
to assure headroom for unknown effects of sensitivities and uncertainties. As the design 
activity proceeds every effort must be made to understand sensitivities to achieve the best 
balanced design and to reduce uncertainty to reduce risk and provide design confidence. 

The following is an overview of uncertainty in rocket engine and structural design. In 
rocket engine design, high uncertainty results in high development cost. Figure 12-1 
illustrates the effect of uncertainty on high cost. [Havskjold, 2004]. The figure on the left is the 
number of rework cycles (corrective actions) as a function of technical uncertainty factor for 
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various subsystems. As the uncertainty increases the number of rework cycles increases. 
The uncertainty is a result of high static and dynamic flow induced loads, thermal transients 
and gradients, high pump speeds, welds, etc. In the figure on the right is the cost versus the 
number of years in the development. It can be seen that 73% of the development cost is a 
result of corrective actions (test-fail-fix). In the development of the SSME there were 38 
significant incidents that cost over $30 million per incident. 


Number of Corrective Actions Correlated 
With Risk/Uncertaintv Remaining at Start 
of Full Scale Testing 


Development Costs Dominated by 
Rework Cycles After Full Scale Engine 
Testing Begins 



□Turbo-machinery 
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c^Thrust System 


fiGas Generator 


oValves 

d 

o 

o * 

o 


Technical Uncertainty Factor(TUF) 


Corrective 


Test-Fail-Fix 

ycle 


SIngie ingine 
Certification 



initiai Design 
( 2 %) 


Engineering 

( 15 %) 


Demonstration 
( 10 %) 


Figure 12-1. Technical Uncertainty Leads to High Cost 


Having the experience shown in Figure 12-1 , what can be learned to Improve the 
effects of uncertainty? Shown in Figure 12-2 is an indication of how reducing uncertainty and 
improving processes can reduce development cost. 
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Process 
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Number Of Corrective Actions 



Cost To Perform 
Corrective Actions 


History 


Tecbnicf ! Uncertainty Factor 


Future Need 



Certified 

Product 


Time 


-Ejiptore Design Space 
-Improve Processes 
-Reduce Sensitivities 
and Uncertainties 
-Quantify Risk 



Figure 12-2. Combined Effect of Low Uncertainty and Improved Process 

to Reduce Cost 


Figure 12-2 indicates that as the uncertainty is reduced the number of corrective 
actions can be reduced and by process improvements the cost of corrective actions can be 
improved. The net effect will be reduced cost to achieve a certified engine. Uncertainty can 
be reduced by lowering the static and dynamic flow induced loads, e.g. decrease chamber 
pressure and open up flow areas. In addition, uncertainty can be reduced by reducing pump 
speeds, improved definition of environments, etc. Process improvements can be achieved by 
minimizing welds, application of friction stir welding, bonding by high isostatic pressing, 
reduced part count, etc. Overall by building on our experience base as shown in Figure 12-2 
and by implementing new design technologies, significant cost reductions can be expected in 
the future. 


Uncertainty in structural design is illustrated in Figure 12-3. In the middle of the figure 
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Figure 12-3. Uncertainty in Structurai Design 


are the probability density functions (PDF) of the working stress and the material allowable. In 
the region where there is overlap, failures will occur. In this example, the design has 
considered all the failure modes and the failure mode of concern is the strength. The 
variability in the material allowable can come from the random variations as characterized by 
the right-hand PDF’s and for the stress the variability can come from the random variations 
associated with the PDF’s in the left hand column. Knowing the associated PDF’s, the 
reliability of the design can be determined. In the example shown, the design would be 
unacceptable because of the size of the interference region. Various changes can be made. 
The mean stress can be reduced by reducing the load or changing geometry. The uncertainty 
could be reduced by restricting the uncertainty in the load, changing tolerances, improving 
welding, etc. The material properties can be improved by changing the material to one that 
has a higher allowable or one with less uncertainty or both. 

Sensitivity and uncertainty play important roles in the design of complex designs 
where there are high power densities. Sensitivities provide insights regarding developing the 
best balanced design and also aid in reducing uncertainties. Knowing the uncertainty 
provides a means for assessing risk and provides confidence in the design. Understanding 
past experiences (lessons learned) and applying new design tools provide visions toward 
design improvements to reduce cost in the future. 

Examples: 

• Saturn V Field Down Post 

• Space Shuttle Liftoff Loads 

• Alternate Turbo Pump Vibration 

• SAFE Solar Array Day-Night Frequency Shift 
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• Space Shuttle Parameter Uncertainties Matrix 

• SRM Thrust Bucket and SSME Throttling (Lofting vs. Throttling) 

• SRM Gimbaling Nozzle 


Saturn V Hold Down Post (Liftoff Loads) 

Safety requirements dictate that all liquid engines of the initial flight stage be at full 
power and healthy before releasing the vehicle from the launch pad. To meet this 
requirement the vehicle Is attached to the launch pad with large mechanisms with sufficient 
strength to counteract the thrust force pad environments with margin. As a result the total 
thrust (7.5 million pounds) of the Saturn V first stage is stored in the structure as strain 
energy (potential energy). When the engines are all declared healthy the vehicle is released 
from the pad to fly Into space. This release of energy creates a very large structural dynamic 
response of the vehicle and increases the loads significantly in the vehicle first stage with 
some increases in the loads In the other vehicle stages. These load Increases would result In 
performance loss due to the structural weight increase required to handle the loads. As a 
result a soft release was employed as illustrated on Figure 12-4. It consisted of a tapered bolt 
that was severed using a pyrotechnic device. The tapered bolt was then pulled through the 
smaller diameter skirt attachment hole, slowly releasing the energy and decreasing the loads 
by approximately 30%. Summarizing: 

• Engines are started and are at full thrust In order to assure engine health, before 
releasing the vehicle from the launch facility. 

• Engine thrust energy is stored in the thrust frame and other vehicle structures. 

• The stored energy, that is suddenly released, creates a large dynamic response. 

• Saturn V used a soft release mechanism in order to reduce the dynamic response 
(loads). 

• The release was an extruding bolt through an orifice as shown on the next figure. 

• Loads in the rear of the vehicle were reduced more than 30%. 
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Saturn V Holdown Post 


Soft Release Mechanism 



Soft release is achieved by 
the pad hold-down bolt 
being pulled through a 
constricted pipe attached to 
the aft skirt. The bolt stayed 
attached to the launch pad. 


Figure 12-4. Saturn V Hold Down Post Soft Release Mechanism 


Space Shuttie Liftoff Loads 

Space Shuttle had the same requirement as Saturn V with a much more complex 
dynamic system and with a very sensitive performance issue. Therefore it was mandatory 
that structural mass be as minimum as possible. The Shuttle is a five body system 
connected with interfaces called struts and/or attachment mechanisms. The vehicle is 
unsymmetrical in the pitch plane with the arbiter attached on the side of the External Tank 
and Solid Rocket Motors. The vehicle is held to the Mobile Launch Pad (MLP) with four 
pyrotechnic bolts on each solid. See the following figure. The vehicle is first filled with the 
cryogenic liquid propellants which shrinks the External Tank longitudinal and in diameter. For 
example the aft SRB to ET attachment strut is at 7 degrees to perpendicular before filling the 
tank and becomes perpendicular due to the cryogenic shrinkage when the tanks are filled. In 
addition its diameter shrinks approximately 2 inches. This stores energy into the structure. At 
the start of the on pad liftoff cycle the SSME’s are ignited and carried to 90% thrust to ensure 
engine health. The engines are canted for c.g. tracking and are offset from the vehicle center 
line several feet. This stores additional energy in the structure in two ways. The arbiter is 
lifted up bending the vehicle over the attached points introducing a large bending moment in 
the system. This can be illustrated visually by watching the launch of Shuttle observing the 
tank tip moving laterally approximately 36 inches. This sets up a dynamic motion of the 
vehicle on the pad about the mean moment introduced by the SSME thrust. Since the 
engines are offset, they also push the Orbiter and ET between the two motors that are 
holding the vehicle to the pad. [Ryan, 1996] 

At SRB bolt release all this stored energy is released creating a large complex 
dynamic response. The interaction of the four vehicle bodies plus the payload body requires 
approximatly 300 bending modes to simulate the response and calculated all the system 
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loads. At release two additional forces add to these dynamic responses, thus loads. These 
are the expansion of the Solid Rocket Motor due to the 960 psi of internal pressure created 
by the burning propellant. This pressure goes from zero to the 960 psi in 500 milliseconds 
after motor ignition. The ignition of the motors and the large thrust created moves through 
the launch pad thrust tunnel creating a overpressure wave that travels up the vehicle. Since 
the Shuttle is a 1 V 2 stage vehicle it is very performance critical, thus these high dynamic loads 
had to mitigated to reduce structural weight. 

As stated above the SSME thrust at engine start and buildup creates a dynamic 
motion laterally as shown on Figure 12-5. The vehicle motion of moving back to a minimum 
position has a minimum energy point at which time if the vehicle is released from the pad will 
have the lowest load. Shown as stored bending moment on Figure 12-6 is the time 
dependency of the bending moment. As a result it was decided to burn the SSME’s 214 
seconds beyond the point where they are declared healthy, greatly reducing the loads. This 
delay of liftoff from the time of verified SSME’s to the minimum energy point reduces vehicle 
performance but at a much lower level that would be the impact of the increased loads. 

Figure 12-7 is a plot of the predicted liftoff response versus a flight response. 



Figure 12-5. Shuttle Liftoff Dynamics 
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• The bottom figure 
shows the SSME thrust 
history. 

• The top figure shows 
the bending moment 
stored in the vehicle as 
a function of time after 
SSME’s ignition. 

• SRM ignition and iiftoff 
is deferred about 2 
seconds until the 
bending moment is 
minimum. 


Figure 12-6. Shuttle Liftoff Timing 


In Figure 12-7 one can see the stored load and the minimum energy release point 
followed by the large dynamic response discussed above. The plot is for the ET to SRB strut 
load response. The difference in prediction versus flight is explained by the fact that the 
prediction was for 3-sigma conditions while the flight was near nominal conditions. 


Shuttle Liftoff ET-to-SRB Strut Load Response 
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Figure 12-7. Shuttle Liftoff Loads 
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These two examples show how the uncertainty and sensitivities of a system were 
understood, resulting in a better performing system. 

In summary: 

• Space Shuttle, due to its asymmetrical configuration, stores energy as the SSME’s 
thrust lifts the Orbiter and pushes the Orbiter and External Tank between the SRB’s. 

• The energy is stored by deflecting the External Tank (36” at the tip) and twisting the 
SRB’s pad attach hardware. 

• The liftoff response is very dynamic and sensitive. Loads can change 30% with small 
changes in the configuration or its operating parameters. 

• The liftoff signal is delayed approximately 2 seconds in order to have the system at a 
minimum stored engine condition. 

• The liftoff delay cost approximately 1 ,000 lbs of payload, which was less than the 
payload impact of designing to the unmitigated load. 

• The loads sensitivity at liftoff requires loads analysis and verification for each 
launch/payload. The consequence is operational complexity. 


Alternate LOX Turbopump Vibration Probiem 

The SSME did a block upgrade on the high pressure turbopumps to eliminate most of 
the fracture and fatigue problems associated with the original turbopumps. These new 
pumps were called ATD pumps (Alternate Turbopump Development pumps). During 
development test of the ATD LOX turbopump, the pump experienced large synchronous 
vibrations which would shut the test down. The following plot and pump schematic (Figure 
12-8) shows response that would nearly instantaneously increase to a high level shutting 
down the test. The solution turned out to be the bearing dead band after much effort had 
been expended on trying to decrease the hydrodynamic forcing function. The pump 
response was so sensitive that changing the dead band 2 mils (two thousandths of an inch — 
less than the thickness of a sheet of paper) would stop the vibration, while reversing it would 
reinstate the problem. This placed a strict manufacturing tolerance on assembling the pump. 
Through understanding this sensitivity, the pump has not had any vibration problem over 
many Shuttle flights. [Problem solution team working notes and Ryan et al, 1994] 
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ATD Synchronous Vibration Fix Summary 
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Figure 12-8. Alternate LOX Turbopump Vibration Fix Summary 


Solar Array Flight Experiment (SAFE) Day-Night Frequency Shift 

The solar array flight experiment had two objectives: (1) Develop a method for 
dynamic testing of large space structures in space, (2) Evaluate the effectiveness of a new 
design for soiar power. See Figure 12-9, showing the solar array extended out of the Shuttle 
cargo bay. During the experiment a shift occurred in the natural frequency of the array when 
going from night to day during the orbit; this was not predicted. The reason for the shift was 
the thermal induced contraction and expansion of the array changing its moment of inertia. 
This can be seen in Figure 12-10 as a cupping of the array during the night portion of the 
orbit. Aithough thermal effects on structure are well known it was not expected to have much 
effect on this iarge a structure. Again the lessons keep repeating themselves; understand and 
quantify sensitivities. The experiment was very successfui showing that dynamic testing of 
iarge structures in space was feasible. [Schock, et al, 1986] 
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• Dynamic modal response 
frequency shifted when 
going through the day and 
night terminator. 

• Thermal gradient caused a 
cupped deflection of the 
array, thus changing the 
moment of inertia, causing 
a shift in the frequency. 


Figure 12-9. Artist’s Conception of the SAFE Soiar Array Experiment On Orbit 



Figure 12-10. Picture of Deployed SAFE Solar Array Made from Space Shuttle 


Space Shuttle Parameter Uncertainties Matrix 

In the early days of Shuttle design it became very clear that the sensitivities of the Shuttle 
system to parameter uncertainties required a concerted effort to define all the parameter 
uncertainties that affected the vehicle induced environments, etc. This was a concerted effort 
coordinated by the Ascent Flight Integration Working Group (AFSIG). It took approximately 
two months to complete the initial version. The uncertainty levels were burned down as the 
program progressed and more data was collected from test and flights. The lesson is clear; 
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each project must develop and put under control all parameter uncertainties and continue to 
burn them down throughout the lifecycle. The guidelines for development of this data follows: 

• In order to achieve a balanced design for Space Shuttle, the vehicle driving 
parameters required determining their mean values and their 3 sigma variations. 

• These variations had to be established for each mission event and each major design 
function. 

Figure 12-1 1 shows a partial listing of the parameter variations, illustrating the format and the 
magnitude of the task. This compilation was a large document that was placed under 
configuration control. 


Example Table from Extensive Parameter Matrix 
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Figure 12-11. Partial Listing of Shuttle Parameter Variation Matrix 


SRM Thrust Bucket and SSME Throttling (Lofting vs. Throttling) 

Constraints on space system designs are necessary; however, they always cost the 
system in terms of flexibility, performance, and programmatics. The Space Shuttle dynamic 
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pressure constraint at max q is a good example. The constraint was necessary for the 
elimination of buffeting of the Orbiter tail section and to keep induced environments such as 
loads within bounds. The vehicle performance is very sensitive to the constraints of 
controlling dynamic pressure and staying within the longitudinal acceleration limit of 3.15 g’s. 
The following listing shows the sensitivities and general characteristics. In general reducing q 
by 1 psf by throttling is a loss of 25 pounds of payload while lofting cost 250 pounds of 
payload for a 1 psf reduction. In order to implement these constraints the SSME has to 
throttle to the minimum possible which is determined by the dynamic loads in the nozzle as 
thrust is lowered. This is a result of the requirement that the nozzle shape be optimized for 
operation from ground to vacuum and is a compromise of the nozzle instability versus 
maximum performance in vacuum. The SRM grain had to be shaped such that there was 
also a SRM thrust reduction during Max q. Finally an adaptive guidance scheme for SSME 
throttling was instituted to obtain increased vehicle performance as compared with a 
predetermined SSME throttling profile. [Ryan, 1996] Just remember “Constraints Cost.” 

Dynamic Pressure Constraint 
(Lofting vs Throttiing) 

• SSME throttles to maintain the longitudinal acceleration at 3.15 g’s and to keep the 
dynamic pressure (q) within the 650 psf nominal limit. 

• During atmospheric flight SSME cannot throttle below 65% full thrust due to the nozzle 
side loads. 

• The 65% limit means that lofting must be used in conjunction with throttling to maintain 
q within 650 psf. 

• The penalty for lofting is approximately 250 lbs payload loss for each 1 psf q reduction, 
while the penalty for throttling is 25 lbs payload loss for each 1 psf q reduction. 

• Dynamic pressure limits can be traded for structural weight. 


SRM Gimbaling Nozzle 

In the early phases of Shuttle design, it was hoped that gimbaling the three main 
engines on the Orbiter would provide sufficient controllability during ascent flight. Therefore, 
the initial design had fixed nozzles on the Solid Rocket Motors (SRM’s). As more information 
was obtained on SRM characteristics and other parameter variations, it became apparent the 
vehicle would not be controllable by the main engines alone due to uncertainties in SRM 
thrust direction and other perturbations. Thrust vectoring capability had to be added to the 
SRM’s, as indicated in Figure 12-12. [Ryan, 1996] 
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• Because of uncertainties in SRM thrust direction and other 
parameters, Space Shuttie was not controiiabie without thrust 
vectoring on the Soiid Rocket Motors. 

• Vectoring the thrust on soiids is a major design probiem. 

• A fiex bearing and seai was required. This bearing/seai is made of 
eieven rubber/steei iaminations. 

• Moving the nozzie (thrust vectoring) requires iarge actuator forces 
due to the stiffness of the fiex bearing/seai. 



Figure 12-12. Solid Rocket Motor Gimbaling Nozzle 


This was a major impact to the SRM design and the total Shuttle vehicle. Vectoring a 
solid rocket motor nozzle greatly Increases its complexity. The approach taken was to use a 
flex bearing and seal made of eleven rubber/steel laminations. Moving the nozzle to vector 
the thrust requires large actuator forces to overcome the high stiffness of the flex bearing and 
seal, plus other loads such as aerodynamic forces. Actuator deflections, rates, and 
accelerations must be adequate for controllability and control stability. In turn, large actuator 
forces require high output hydraulic power supplies in the aft skirts, along with the attendant 
complexities of handling hazardous fuels. So an Inherent uncertainty In the system led to 
major operational and cost impacts. 

Here again we are dealing with uncertainties and sensitivities that must be understood, 
quantified and ameliorated or the design will not work. Not only must these be understood 
and managed, but also the derived requirements flowing from uncertainties and sensitivities 
often are design drivers that must be accurately determined. 

<> A key message from Lesson 12 is: 

Quantifying sensitivities, uncertainties, and margins enables balancing risk. 

To ignore system sensitivities and uncertainties is a recipe for failure. 

Quantify 

Understand 

Manage 
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In the next lesson we will apply the understanding of sensitivities and uncertainties as 
a measure for the requirements of a system to have margins in the design. 


Lesson 13: Program Margins Must Be Adequate 

<-> Margins must be adequate to cover anticipated growth during design, TRL 
immaturity, and sensitivities. Otherwise, many design probiems, overruns, and 
reduced performance will occur. 

We have just discussed the importance of understanding of sensitivities and 
uncertainties. This understanding is one of the main drivers for intelligently adding margins of 
the system in addition to providing means of covering uncertainties and unknowns that are 
always present in a system. The following lesson, Margins must be adequate, will deal with 
Space Shuttle lack of margins and techniques to recover the induced performance losses 
and the SSME pump bearing corrosion issue. 

Examples: 

• Space Shuttle Performance Margins 

• SSME LOX Pump Bearing Race Failure 

Space Shuttle Performance Margins 

During the Space Shuttle design process and first test flights the lack of margins and 
the solution to encountered problems resulted in an approximate 45,000 pound payload 
performance deficit for the Air Force mission. Many of these issues were seen during the 
design cycle that resulted in numerous weight reduction strategies and planned block 
changes to the Shuttle elements such as SRM, ET, SSME and Orbiter. The solutions also 
resulted in many operational procedures and constraints. An example is structural loads that 
require a Day of Launch l-Load update based on wind measurements made 4 hours prior to 
launch. The following listing shows these modifications that were baselined to recover the 
payload losses and solve other problems. 

Increase Performance of Propulsion System 

o SSME @ 104% thrust design operating point and later upgrade to ATD Pump 
o Large Throat, and Two-duct Manifold 

Weight Reduction Program 

o Light Weight Tank and later upgrade to Super Light Weight Tank 
o Orbiter weight reduction 
o High performance SRM 
o Reduced wind criteria 
o Flight derived dispersions 
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Operational Problems 

o Additional maintenance, refurbishment, and inspection 
o Additional day of launch analysis / constraints 
o Additional day of launch operations 

Details will be shown in Lesson 15 

Many of these solutions created other problems; for example, the SSME thrust 
increase created increases in dynamic environments in the engine which resulted In many 
fracture and fatigue issues that had to be resolved with engine component block upgrades. 
Part of the original solution also resulted in giving up some of the launch availability to reduce 
loads. Not only did the program accomplish upgrades, but a major effort was made to take 
conservatism out of criteria, environments and design parameters. 


SSME LOX Pump Bearing Race Failure 

After Mission STS-27, post-flight inspection of the SSME LOX Pump found that the 
inner race of the turbine-end bearing had cracked through. Fractography showed that the 
crack had occurred before engine start, indicating that the engine had run its full duration with 
a cracked bearing race in the presence of liquid oxygen. This very hazardous situation was 
not revealed until the post-flight hardware inspection. Location of the turbine-end bearing is 
highlighted in the circled area of the turbopump cross-section on Figure 13-1 . 



Figure 13-1. SSME LOX Pump Cross-Section Highlighting Bearing Location 
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The cause of the fracture was determined to be stress corrosion in a high stress 
condition. During assembly, the shaft is cooled with liquid nitrogen to achieve an interference 
fit of the bearing onto the shaft. The resulting residual hoop stress in the presence of water 
that condensed during assembly led to the fracture. Also, there was potential contamination 
from the Freon cleaning solution. 

The hoop stress caused by the interference fit was 30 ksi or greater, which was excessive for 
the inner race material. To gain adequate margin, the design was adjusted to limit the hoop 
stress to 24ksi, and the contamination and condensation issues in the assembly clean room 
were addressed. This solved the stress corrosion cracking problem. Also, in some later 
applications for the Advanced Turbopumps, the race material was changed to a stronger 
material, which gained additional margin. 


® A key message from Lesson 13 is: 

Allocate adequate technical and programmatic margins or you will pay 
for it later. 


Principle VI: Project Success is Determined by Life Cycle 
Considerations 

This principle recognizes the importance of life cycle issues — its effect on design choices 
available, the large role that concept selection plays, recognition of how requirements have 
far-reaching, sometimes unintended consequences, and the need to achieve the best design 
for the entire life cycle. 

Four lessons will be discussed: 

14. The Design Space is Constrained Based on Where You Are in the Life Cycle 

15. Concept Seiection and Design Process 

16. Requirements Drive the Design 

17. Design for the -ilities and Cost 

Lesson 14: The Design Space is Constrained Based on Where 

You Are in the Life Cycle 

® Three Life-Cycle Categories 

Eii Conceptual/lnitiai Design 

■ Open design space for choices and trades 
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E3 Detail Design 

■ Design space constrained by concept choice 
Eii Verification/Operations 

■ Design space constrained by the as-buiit system 

■ Must make system work. Soiution options limited 

As we proceed through the system’s life cycle, the range of choices available to affect 
the design and its operation become more constrained. Consider three timeframes within the 
life cycie: (1) at Conceptual/lnitial Design, (2) at Detaii Design, and (3) at 
Verification/Operations. At Conceptual/lnitiai Design, the design space is open, aliowing 
essentially free choice of design variables to meet the mission requirements. By the time of 
Detail Design, the concept has been seiected and preiiminary design decisions have been 
made. This severely limits the freedom of the designer to choose variables. The majority of 
the system performance and cost attributes are determined by the concept that has been 
seiected, as will be addressed in Lesson 15. Once the system has been manufactured, at 
the time frame of Verification or Operations, the design space is constrained by the as-built 
system. Unless there is to be a major redesign cycle, the system must then be made to work 
by minor adjustments or by operationai constraints. Solution options are very limited at this 
point. It is clear that early choices have a major constraining effect on the range of 
downstream choices that can be made. 

Exampies: 

• International Space Station Rack Design 

• Replacement of SSME Baseline Turbopumps with Aiternate Design Turbopumps 


International Space Station Rack Design 

In designing the International Space Station (ISS) science racks (Figure 14-1), four 
issues were paramount. (1) The racks needed to be iightweight. (2) Fiexibility in mounting 
and operating various experiments was desired. (3) Because some of the experiments wouid 
need a low-gravity environment, the presence of crew motion and other disturbances meant 
that a vibration-isoiation system should be incorporated into the racks. (4) The racks had to 
be sufficiently stiff to meet minimum frequency requirements as a Shuttie payioad, to avoid 
dynamics and ioads problems during iaunch. [Bookout, 1996] 
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Machined Aluminum 
Attach & Pivot Points 


Extruded Aluminum 
Upper Horizontal 


Four issues were paramount in the 
design of the ISS Science Racks 

- Weight reduction 

- Experiment operations and 

mounting flexibility in rack 

- Vibration isolation at zero g 

- Meeting Shuttle frequency 

requirements 



Upper/Lower) 


Constraints create unwanted compromises of a design. 


Figure 14-1. ISS Science Rack Design 


Initial consideration of the design requirements and constraints led to a choice of 
composite material as a means of saving weight and achieving acceptable stiffness; 
however, when all the constraints, requirements, and accommodations were met, the weight 
saving of composites as compared to aluminum was not realized. It would have been simpler 
and less expensive to have gone with metal construction from the start. 

Also, design of the active vibration isolation system was difficult because of geometric 
constraints in addition to the other constraints and requirements listed above. It is clear that 
constraints create unwanted compromises of a design. 

Another aspect of ISS rack design related to the need to use the racks for many 
different functions. A number of them are illustrated in Figure 14-2. Granting the flexibility of 
a single design to accomplish all these functions created design and verification problems. 
However, in general, the advantage of commonality outweighed the design issues. 
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Flexibility and commonality are very desirable for operations, but can 
create many design issues and challenges. 


Figure 14-2. ISS Rack Functions and Configurations 


The Space Shuttle Orbiter configuration is another example of this issue. The Shuttle 
was developed to a multi-agency set of requirements from both NASA and the Department of 
Defense. Military requirements dictated larger payloads and greater reentry cross-range than 
did NASA’s requirements. DoD required a 1500 nautical mile cross-range to enable landing 
at the launch site after a once-around delivery orbit. NASA’s cross-range requirement was 
less, being dictated by abort considerations. There were two competing Orbiter 
configurations: a delta-wing design needed to produce sufficient hypersonic lift/drag ratio to 
achieve the DoD cross-range requirement, and a simpler straight-wing design that could 
satisfy the NASA requirement. Because the vehicle design had to envelope both 
requirements, a delta wing was chosen. 

Obviously, there is no way of determining how a matured straight wing design would 
have performed, although predictions at the time indicated it would have a simpler thermal 
protection system and a less-demanding landing system. Because of subsequent 
developments, the DoD never made use of the Orbiter’s cross-range capability, but the 
Shuttle program has continued to pay the operational costs associated with the delta wing 
configuration and its thermal protection system. 

Flexibility and commonality are desirable goals, but they usually constrain the design 
space and can create design issues and challenges. Early In the project, make sure that 
commonality requirements are indeed firm, and that their downstream implications are 
understood. 

Replacement of SSME Baseline Turbopumps with Alternate Design Turbopumps 

The replacement of the original Rocketdyne turbopumps by the Pratt and Whitney 
alternate turbopumps (Figure 14-3) drew on lessons learned from the original pumps to 
improve reliability and maintainability. The weight allowance for the alternate pumps was 
increased over that for the original pumps. The increased weight allowance accommodated 
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significant improvements in turbopump design and reliability; however, the alternate pump 
designs had to interface with the existing engine system, including the powerhead and ducts. 
Geometric, pressure, and thermal interfaces had to be matched while meeting weight 
requirements. Because of these constraints, the alternate pumps couldn’t make full use of 
the lessons learned and produce a fully optimized design. 


O The P&W Alternate High Pressure 
Turbopumps were designed using 
lessons learned from the 
Rocketdyne pumps. 

© Full advantage of the lessons could 
not be utilized since the pumps 
must be compatible with the 
existing engine powerheads, ducts, 
etc. 

© These constraints were: 

- Geometric 

- Pressure 

- Thermal 

- Weight 



Constraints required to use a new component in an existing system in 
general lead to a non-optimal design and higher costs. 


Figure 14-3. Alternate High Pressure Turbopumps 


In general, interfacing constraints required to use a new component in an existing 
system lead to a non-optimal design and higher costs. 

So, the lesson is to recognize life cycle effects on the design space. As we progress 
through the design process, fidelity increases and uncertainty decreases, but the design 
choices decrease. Minimize constraints to increase design opportunities. 

® A key message from Lesson 14 is: 

Recognize Life Cycie Effects on the Design Space 

- Fideiity increases 

- Uncertainty reduces 
but 

- Design choices decrease 

Minimize Constraints to increase Design Opportunities. 
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Lesson 15: Concept Selection and Design Process 

Eii 80 % of the project problems are locked in with concept selection 

Lesson 14 indicated how the freedom to make design choices decreases as the 
design matures. This lesson shows that the constraining effect is powerful; that choices made 
early in the design process determine the great majority of the system’s final attributes — how 
it operates, the problems it experiences, and what it costs. 

<> The right concept selection is critical. The best detailed design will not correct a 

flawed concept. 

® Put sufficient effort into front-end engineering (Quality Lever). 

Eii Ensure that options are fully explored, converging with successive 
refinement (greater detail) of concepts and requirements. 

• Pick a concept only after appropriate convergence of the various 

concepts or options; i.e. don't "Eureka" the answer. 

Eii Attain sufficient fidelity before selecting concept 

• Don't depend on sizing programs alone. 

■ In early phases, discipline specialists must assess validity of sizing 
program results. 

E'3 Employ technologies of adequate readiness levels 

• Avoid concepts having too many low Technology Readiness Levels. 

® Don't roll the dice 

Choice Choice Choice 

Selecting the right concept is critical. The best detailed design will not correct a flawed 
concept. (Conversely, a good concept can be ruined by poor detailed design.) This means 
that we must put sufficient effort into front-end engineering. Three aspects of what must be 
done in concept development and selection are highlighted: (1) Fully explore options, (2) 
Penetrate competing concepts with sufficient fidelity before selecting concept, and (3) Employ 
technologies of adequate readiness levels. 

Fully explore options. Design activity involves conceiving a wide range of competing 
architectures, concepts, and design alternatives that are candidates to meet system 
requirements, then sifting and screening out unsuitable or less desirable alternatives to arrive 
at the best architecture, concept, and design. Additional candidate architectures, concepts, 
and design alternatives may come to light as the process progresses. These are added to 
the previous candidates and the screening and successive refinement continues. It is 
important to ensure that the options are fully explored. We must resist the natural tendency 
to jump to a solution that appears attractive initially. We should not “Eureka” the concept; 
instead, use a disciplined approach of applying consistent logic to all alternatives, ensuring 
that each gets a fair assessment. Pick a concept only after appropriate convergence of the 
possible concepts. 
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This philosophy applies in other activities as well. Failure investigations are especially 
prone to the “Eureka” trap. All possibilities should be explored, and alternatives should be 
discarded only after clear, consistent logic dictates. 

Penetrate competing concepts with sufficient fidelity before selecting concept. Fidelity 
of definition increases throughout the design process. Before downselecting, it is critical to 
attain sufficient fidelity in the competing concepts to allow valid comparisons; else the wrong 
choice may be made. Experience has shown that at the concept selection level, we shouldn’t 
depend on the fidelity of sizing programs alone, but should involve discipline specialists to 
assess the validity of the sizing program results. An integrated engineering assessment 
similar to the Vehicle Integrated Performance Analysis (VIPA) approach can be valuable in 
this regard. 

Employ technologies of adequate readiness levels. Concepts that require too many 
technologies at a low readiness levels should be avoided. There are various rules of thumb 
concerning this, the most common being to have no more than two technologies at readiness 
levels below TRL 6. Any immature technology should have a sound development plan, with 
off-ramps to alternative approaches should the technology not pan out. 

These recommendations are directed toward converging to the right concept in a 
comprehensive, logical manner. Don’t roll the dice, but make deliberate, correct choices. 

While this lesson deals specifically with concept selection, the principles apply also to 
other phases of the design cycle where alternatives are being assessed, such as trade 
studies, problem solutions, and block change assessments. 

Examples: 

• Quality Lever 

• Saturn V Concept Selection History 

• Space Shuttle Concept Selection History 

Examples to be cited are the Quality Lever and a comparison of the concept selections for 
Saturn and Shuttle. The consequences of the Shuttle’s concept selection on its performance 
evolution are illustrated. 

Quality Lever 

The Quality Lever (Figure 15-1) is a classic representation of the leverage and 
importance that early decisions have on a project. Investment during concept selection and 
early design is the most influential on product quality. Later in the life cycle the leverage 
decreases, and after the product is manufactured, the choices are limited to operational 
procedures required to make it work. Although this principle is generally known, one can 
make the observation that the reward systems of most organizations give greater recognition 
to problem solving in the downstream life cycle phases than to the avoidance of problems 
through good upfront work. 
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Figure 15-1. Quality Lever 


Saturn V Concept Selection History 

The Saturn V concept selection and design was an evolutionary process, built on 
experience from prior systems including Redstone, Jupiter, Saturn I, Saturn IB, and 
unmanned Saturn V flights (Figure 15-2). This process is described in detail in Stages to 
Saturn. [NASA SP-4206, 1980] 



Redstone. Jupiter, and 
Mercury Redstone 
launch vehicles 


Saturn C-1 (SA-21 SA-6 and Apollo Apollo SIVB SIB. 

on complex 34 1961 "boilerplate'* Spacecraft Complex 34 

complex 37 May 1964 August25. 1966 


SA-501 LC39A 
November9. 1967 
Apollo 11 First Moon 
Flight LC 39A July 16. 1969 


Figure 15-2. Building Blocks for the First U.S. Satellite, First Manned Space Flight, 

and Saturn/Apollo 
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Although building a system the size of Saturn V was stepping into uncharted territory, 
most of its technology and systems represented quantitative steps from prior systems versus 
qualitative leaps. In addition to this building block approach, the vehicle Itself was conceived 
and designed for simplicity and a minimum number of interfaces, which reduced the number 
of downstream unknowns and problems. Also, there were three unmanned test flights of 
Saturn V before a crew was put on the vehicle. This careful process led to successful Apollo 
launches, culminating in the mission successes represented on Figures 15-3 and 15-4. 



Firstlunar landing vehicle is Aeriai view of Apollo 11 as TheApollo 11 crew July 16, 1969 

rolled out of the VAB and down it nears the end of rollout Aldrin, Collins. & Arm strong 
the 3,5 mile crawlerway to 
Launch Complex 39A 




Werner von Braun LM going to Moon 
during Apollo 11 
launch 


Armstrong’s first photo 
after setting foot on the 
Moon July 20, 1969 



Armstrong and Aldrin 
raisethe U.S. flag on 
the lunar surface 



Landing site from 
a distance 




LM returning from 
Moon 



A stronauts await pickup 
July 24, 1969 



Mission control 
Celebrates return 



President Nixon 
greets astronauts 


Figure 15-3. Saturn Apollo to the Moon 
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Figure 15-4. Apollo 11 Lunar Base 


Space Shuttle Concept Selection History 

The Space Shuttle concept development followed a path quite different from that of 
Saturn V. Dennis Jenkins’ book [Jenkins, 1997] provides an excellent description of the 
process, both technical and political. The Initial idea was to have a fully-reusable system, 
which would have provided the lowest operational cost for the traffic model envisioned at the 
time. Many studies involving much effort were focused on two-stage concepts where both 
the booster and the orbiter were fully reusable. The problem with this approach was the 
development cost, which was estimated at $13.5 billion. The budget and political situation at 
that time did not allow this level of funding, but instead limited funding available for 
development to $5.5 billion. This constraint provided little leeway for concept choices. After 
exploring what could be developed within the funding constraint, NASA converged on the 
solid-boosted, stage-and-a-half , partially reusable configuration of the current Shuttle (Figure 
15-5). 
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SHUTTLE SYSTEM DESIGN EVOLUTION 


(2) ALL REUSA0tE0O)SraANPORWrER-rtC5H CROSS-RANGE ORKTER 
P) FLY-SACIC BOOSTER (L02n>C) - EXTERNAL LH2 TAMC ORWTER 
(4) FLY-BACR BOOSTER (L02/RP-1) - EXTERNAL L02 A LH2 TANK ORBTTER 
P) RECOVERABLE PRESSURE-FEO BOOSTER - EXTERNAL L02 A l>C TA^4; ORBTTER 

(6) t>«ustass»steoorbttersystem 


At the end of the Phase B Extension. North American included this chart in their final 
report showing the conceptual evolution of the space shuttle from Phase A through 
Phase C. (North American Rockwell) 


Ref: SPACE SHUTTLE -Jh9 Histoty ofth^ NationaiSpac^ Trans pottatioa Sysfem, DeniisR. Jenkins, 1992-2001 


Figure 15-5. Space Shuttle Concept Evolution 


This configuration had few applicable precedents, and the Interfaces were complex 
instead of simple. Also, the extreme efficiencies demanded by the stage-and-a-half approach 
resulted in a highly sensitive system. New technologies were required in thermal protection, 
propulsion, and other areas. Consequently, the development program had many difficulties 
and operation of the Shuttle remains complex and expensive. The concept that was chosen 
determined the subsequent complexities and costs. 

A look at the evolution of Shuttle payload performance illustrates the sensitivity of the 
configuration. Lesson 13 addressed the performance loss of the Shuttle due to various 
design problems and issues. Also discussed were the solution approaches including block 
upgrades. The following table shows the source of those performance losses and some of 
the solutions applied. [Author’s working papers] 
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Space Shuttle Performance Evolution 

Representative Changes 


EVOLUTION ITEM 

1 . Orbiter design against real requirements led to not meeting 
weight target. 

2. Environments (ioads) increase due to empioying quartering high q 
winds. Several impacts resuited: 

- Baselining monthly mean wind biasing for design 

- Three-axis and eleven load relief 

- Increased analysis and testing 

- Aerothermal/thermal protection system impacts (SRB and ET) 

- Performance loss from path deviations 

3. SRM fixed nozzie was redesigned to a flex gimbaled nozzle for 
adequate control. 

4. Lift-off ioads increases: 

- Staggered SSME start and abort shutdown 

- Ground winds constraints 

- Weight increases / redesigned Shuttle elements 
(individual payload impacts not documented) 

- Pre-tensioned SRB/ET struts until LWT tank 

5. Missed aerodynamic predictions / STS-1 lofting 

- Trajectory constraints on q, SRB separation, alpha trim 

- Performance loss 

- TPS impacts on ET and SRB 

- Reduced launch probability for winter months 

- Orbiter wing mods (leading edge) 

- Day of launch l-load updates 

- Flight-derived dispersions 

6. Isp did not meet design goals 

- SSME 

- SRM 

7. STS-1 SRB ignition overpressure 

- Modified water injection system (water into thrust buckets) 

- Water troughs over drift hole 

- Payload loads Increases (limited redesign / reverification) 

8. Orbiter tiie debond and debris damage 

- Operations 

9. Other 

- Landing gear and brakes 

- Engine upgrades 

- SSME fatigue and fracture problems 

- ET fracture control 

- Isp loss for plugged LOX post 

- SRB recovery 


IMPACT 
-27,000 lbs 

-5,000 lbs 


-1,200 lbs 
-5,000 lbs 


80% 


-2 V 2 sec 
-1 sec 


-1 sec 
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* Water impact damage 

* Acoustics (reentry) 

* Thermal (reentry) 

Approximate Total Payload Loss - 45,000 lb 


The following graph (Figure 15-6) shows the approximate original Shuttle performance 
and the approximation of the current performance. This performance is plotted for the Air 
Force mission mentioned earlier. Listed beside the last two bars are performance 
enhancement solutions that were applied to partially recover the initial losses. 


Space Shuttle Performance Evolution 


60K - 


50K - 


40 K 


30K - 


20K - 
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Structural 

Weight 

Growth 


Original Requirement 

Acceptable Risk Level Maintained 
with Additional Operational 
Complexity and Expense 



Fliglit 

1 


Fliglit 

8 


Fliglit 

100 


Performance numbers validated in "America's Best Gets Better" http://spaceflight1.nasa.gov/shuttle/seconddecade 


Figure 15-6. Shuttle Performance Evolution 


In summary the Shuttle concept was driven by external requirements and constraints 
which resulted in complex technical problems, high cost, and operational complexity which 
entailed a very high sustaining engineering effort. The lesson is clear; we must constantly 
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drive back on performance requirements and make every effort to obtain as robust a system 
as possible yet still meet the performance and programmatic requirements. 

Was the wrong concept decision made? Addressing this issue in a discussion group, 
John Yardley acknowledged the Shuttle’s operational challenges and costs, but said that the 
Congressional mandate on constraining development cost had been clear. “Had we not 
made the choices we did, there would not have been a Shuttle program.” Given the political 
reality, the right choice was made. 

The Saturn V and Shuttle examples illustrate the power of concept selection on the life 
cycle attributes of a system. We need to get it right, up front. Choose the best concept for 
the total life cycle, after exploring all alternatives. Does this mean that the choice will be free 
of political or policy considerations? No — it never has been and never will be. And those 
considerations will seldom be aligned with technical preferences. It is the engineers’ 
responsibility to push back on unrealistic or short-sighted requirements. After the issues 
have been clearly delineated and vetted, it is the task of engineering to achieve the best 
system within the remaining constraints. 

Achieving the best system entails putting sufficient upfront effort in the project and 
penetrating competing concepts with sufficient fidelity to reveal main issues and design 
attributes. This will lead to selecting the right concept, thus providing a major determinant of 
subsequent project success. 

® A key message from Lesson 15 is: 

Challenge Requirements and Constraints 

Penetrate Competing Concepts with Sufficient Fideiity 

Select the Right Concept 


Lesson 16: Requirements Drive the Design 

® Requirements drive the design. The higher the performance requirements, 
the greater the sensitivity of the response. Constraints imposed greatiy 
aiter the design. 

Eii External/political considerations and constraints strongly drive design 
Eii Technical constraints also drive design, so apply them carefully and 
judiciously 

Eii Analyze and challenge requirements, constraints, and criteria at all levels 
to obtain the greatest possible engineering design flexibility 
Eii Do not accept unrealistic schedules and budgets 
E'3 Poorly defined and vacillating top-level requirements cost the program 
dearly in terms of wasted design effort and compromised design 
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Eil Over-specified criteria suppress the creativity of the design engineer 
Eii Criteria must be tailored for the specific project 

“For any given set of TRUs and basic performance requirements there is a naturai 
shape/size, if you push in one area it wili push out in another, creating technical 
problems and cost and schedule over-runs." - Garry Lyles 

Requirements are the mantle that determines the design, according Pugh in his book 
Total Design. A principle that we have learned the hard way is that “The higher the 
performance requirements the greater the sensitivity of the design to all parameters which 
influence the design and the response of the design”. External/political considerations as 
well as constraints drive the design, many times in undesirable and or unpredictable ways 
and should be scrubbed to the greatest degree possible. This includes pushing back on 
unacceptable cost and schedules. Another area that greatly influences requirements is that 
technical people tend to be very conservative in the development of the design criteria. 
These criteria should be tailored for each project and be at the minimum required for 
adequate or acceptable risks. 


Examples: 

Sensitivity Versus Performance 
Quotes from Pye and Others 
SSME Experience of Major Failures 
Fatigue and Fracture Problems 
LOX Post Failures 

4,000 FIz LOX Splitter Vane Problem 
Additional SSME Problems 
Super Lightweight External Tank 

Sensitivity Versus Performance 

A principle we learned many years ago in working the numerous SSME problems and 
failures says: The higher the performance requirements the greater the sensitivity of the 
system to any parameter uncertainties. Figure 3-3 was a generic plot of the principle. It is 
repeated here as Figure 1 6-1 . There are two curves shown: one for current technology and 
one for advanced technology. The shape of the curve does not change with improved 
technology but shifts down and to the right indicating that one way to reduce sensitivity is to 
improve the system technologies. The curve also indicates that the higher the performance 
requirements the greater the effort and depth of analysis and test that will be required to 
design and operate at that point. 
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Sensitivity versus Performance 



• The higher the performance requirements the greater the 
system sensitivity to weight, cost, parameter 
uncertainties, manufacturing flaws, etc. 


Figure 16 - 1 . Sensitivity versus Performance 


Quotes From David Pye & Others 

We have collected several quotes that deal with the principle of sensitivity versus 

performance requirements that are given beiow without comment. 

• “When you put energy into a system you can never choose what kind of changes 
shail take place and what kind of resuits remain. Aii you can do, and that oniy 
within limits, is to regulate the amounts of the various changes. This you do by 
design” - David Pye 

• “The requirements for design conflict and cannot be reconciied. Aii designs for 
devices are some degree failures... The designer or his ciient has to choose to 
what degree and where there shall be failures.” - David Pye 

• “All structures will be broken or destroyed in the end. Just as all people will die in 
the end. It is the purpose of medicine and engineering to postpone these 
occurrences for a decent interval. The question is: What is to be regarded as a 
decent interval?” - J.E. Gordon 

• “Mother Nature does not read our paper. If we don’t follow her way, she lets us 
fail.” - German Proverb 
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• “Paper is patient. Sense or nonsense, it accepts what we write.” - German 
Proverb 

• “Cooperate with Mother Nature to the maximum extent possible; minimum energy 
solutions are almost always the most reliable.” - John Junkins 

• “To understand what engineering is and what engineers do is to understand how 
failures can happen and how they can contribute more than successes to advance 
technology.” - Henry Petroski 

• “All design is essentially creative work and the state of mind of the creator is 
everything; which is to say that the state of mind of the designer is likewise 
everything where design is concerned” - Unknown source 

SSME Experience OF Major Failures 

The performance, weight, and geometric requirements for the SSME Block II are 
shown below in Figure 16-2. These requirements were derived from Space Shuttle flight 
requirements that were significantly influenced by the Air Force for payload size and weight 
and by NASA for a reusable spacecraft. These types of requirements have resulted in an 
engine with a very high power density of about (879 HP/#). The SSME’s have achieved a 
100% flight success and a demonstrated reliability of .9995. There have been six 
configurations leading to the current Block II configuration. The high chamber pressure 
(-3000 psi), chamber temperature (-6000° F), and high turbopump speeds (fuel pump 
-36,600 rpm) were the root causes of many problems because they were out of the design 
experience band. For example, a number of problems were related to metal fracture and 
fatigue failures and that resulted in rework cycles. 
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Maximum Thrust; [109% Power Level) 

At Sea Level; 
In Vacuum: 

413,000 lb 
512,300 lb 

Throttle Range: 

67% - 1 09% 



Hydrogen Pump Discharge; 

5,276 peia 


Oxygen Punnp Discharge; 

7,263 psia 


Chamber Pressure: 

2,994 psia 

Specific Impulse: (In Vacuum) 

452.3 sec 


Power: High Pressure Pumps 

Hydrogen: 

71,140 hp 


Oxygen; 

23,260 hp 

Area Ratio: 

69:1 


Weight; 

7,774 lb 


Mixture Ratio: (0/F) 

6.03:1 


Dimensions: 

168 in. long 96 in. wido 


Propellants; 

Fuel; 

Liquid Hydrogen 


Oxidizer; 

Liquid Oxygen 


Figure 16-2. Block II Space Shuttle Main Engine Requirements (109% Power Level) 


The development cost of the SSME was about $2.5 Billion (1996 dollars) and required 
163 rework cycles to achieve a certified man rated engine, see references [Havskjold, G., 
Parts 1 , 2, and, 3, 2009]. As shown in figure 12-1 about 73% of the development cost was 
related to correct actions (rework cycles). 

The following picture is a typical SSME in the test stand during a hot fire test. 
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Figure 16-3. Space Shuttle Main Engine Firing 

The SSME is a staged combustion engine that has two iow pressure pumps that 
attach to the Orbiter, two high pressure pumps attached to the engine. The LOX pump pairs 
and the fuel pump pairs are connected with ducts which have sections with beiiows so that 
the engine can be gimbaied. The other elements are shown on Figure 16- 4, such as, the 
nozzie, combustion chamber, preburners, controiiers etc. There were many problems and 
failures of these elements during development testing. [Cikanek, 1987] The engine that is 
flying today has had six block upgrades to solve these various issues, some that have 
aiready been discussed in previous sections. 


SSME With Identified Components 


Oxidizer LowPiessue 

Prebuner Oxidizer Tutwpuiip 



Figure 16-4. SSME Components 
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The total SSME component corrective actions during full scale development is 
summarized in Figure 16-5, see references [Havskjold, G., Parts 1 , 2, and, 3, 2009]. As can 
be seen there were 1 63 rework cycles, but the cost of about half of these rework cycles was 
very little. 


En^ne 

Number of 
Failure Modes 
Internal to 
Engine 

TurbomacJi- 

inery 

Comlbusion 

Devices 

Engine 

System 

Valves 

Intercon- 

nects 

Ottier 

SSME 

163 

51 HPOTP 
42HPFTP 

3 Nozzle 
6 Main inj 
3 Fuel prebr 
DMCC 

17 



37 iheat 
excb, low 
press 
pump, 
sensors, 
controller 


Figure 16-5. Total Failures During SSME Development 


However, shown in Figure 16-6 are 38 significant failures that occurred during 
development testing. There were eighteen $50 million engines totally consumed. Figure 16-6 
provides an indication of the variety of different hardware elements that failed. The cost of 
each of these failures was $30 Million or greater. Since the SSME was an advanced 
technology engine there was a lack of understanding of environments, hardware 
characteristics, advanced computational tools, and overall design experience. 


Failure Engine 


Number 

Date 

Test Number 

Failure 

S/N 

Rocketd y n e Rep ort 

1 

March 24, 1977 

901110 

HPOP Pri Lox Seal 

□003 

RSS-8595-11 

2 

Aijgust27, 1977 

901133 

Fuel PB Burn through 

0004 

none 

3 

Septembers, 1977 

901136 

H POP Bearing 

□004 

RSS-8595-13 

4 

November 11, 1977 

902095 

HPFPTurbine Blade 

□002 

none 

5 

December 1, 1977 

901147 

HPFPTurbine Blade 

0103 

none 

6 

March 31, 1978 

901173 

Main Injector Lox Post Failure 

□002 

none 

7 

Junes, 1978 

901183 

Main Injector Lox Post Failure 

0005 

none 

8 

June 10, 1978 

902112 

Eng Fuel Supp Blockage 

0101 

RSS-8595-14 

9 

July 18, 1978 

902120 

HPOPCap. Probe 

0101 

RSS-8595-15 

10 

October 3, 1978 

902132 

MOV I mproperly Installed 

□006 

none 

11 

Decembers, 1978 

901222 

HX Failure 

□007 

RSS-8595-17 

12 

December 27, 1978 

901225 

MOV Freting 

2001 

RSS-8595-18 

13 

May 14, 1979 

750041 

Nozzle S tee rh or n Failure 

□201 

RSS-8595‘19 

14 

July2, 1979 

SF06-1 

MFV Housing 

2002 

RSS-8595-20 

15 

November 4, 1979 

SF06-3 

Nozzle Steerhorn Failure 

2002 

RSS-8595-21 

16 

July 12, 1980 

SFlO-1 

FPB Burn through 

0006 

none 

17 

July 23, 1980 

902198 

Main Injector Lox Post Failure 

2004 

none 

18 

July 30, 1980 

902284 

MCC Lee Jet 

0010 

RSS-8595-22 

19 

January 28, 1981 

901307 

FPB Injector Lox Post 

□009 

RSS-8595-24 

20 

July 15, 1981 

901331 

Main Injector Lox Post Failure 

2108 

none 
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21 

September 2, 1981 

750148 

Main Injector Lox Post Failure 

0110 

None 

22 

September 21, 1981 

902249 

HPFTP Blade Failure- FPB Deactivated 
Lox Posts 

0204 

RSS-8595-23 

23 

October 15, 1981 

901340 

Fuel Pump Turnaround Duct 

0107 

none 

24 

February 12, 1982 

750160 

FPB Fuel Supply Blockage - Ice 

OllOF 

RSS-8595-27 

25 

April 7, 1982 

901364 

Kaiser Hat Nut 

2013 

RSS-8595-28 

26 

May 15, 1982 

750168 

OPOV Leak 

0107 

RSS-8595-29 

27 

August 27, 1982 

750175 

HPOP Disch. Duct (U/S FM) 

2208 

RSS-8595-30 

28 

February 14, 1984 

901436 

Coolant Liner Failure 

0108 

RSS-8595-37 

29 

February 4, 1 985 

901468 

FPB Instr Boss Crack 

0207 

none 

30 

March 27, 1985 

750259 

MCC Outlet Neck Blow 

2308 

RSS-8595-39 

31 

July 1, 1987 

902428 

OPB Injector Braze 

2106 

none 

32 

June 6, 1989 

902471 

LPF Flex Joint 

2206 

RSS-8595-43 

33 

June 23, 1939 

904044 

HPOP Pump End Bearing 

0212 

RSS-8595-44 

34 

November 6, 1991 

901674 

CCV Failure 

2032 


35 

June 18,1992 

902562 

OPOV Leak 

2107 


36 

January 25,1996 

901853 

HPFTP Blade Failure 

0523 


37 

August 27, 1 997 

901933 

Nozzle Tube Rupture 

0524 


38 

June 6, 2000 

902772 

FPB Fuel Manifold Tape Contamination 

0523 



Figure 16-6. Significant SSME Faiiures 


In a comparison of the SSME to the F-1 and J-2 engines, it can be seen that all three 
are advanced technology engines and their technical uncertainty factors are high and similar. 
As a consequence their development costs and their rework cycles are similar. To reduce 
development costs in the future, it is clear that the technical uncertainty factor has to be 
reduced. Finally, it is noted that the SSME is the only reusable rocket engine certified for 
human flight. 


SSME Fatigue and Fracture Failures 

In the baseline design of the SSME there were no fracture mechanics design 
requirements and the material properties were based upon predicted minimum values. A 
fracture mechanics plan was established in 1973 after the basic design was completed and 
drawings released. In May 1980 a structural audit was completed [Mulloy, et.al., 1980] before 
the first flight. The main findings relating to structural practices were: the structural design 
data base of the SSME is mature and analytical practices are state-of-the- art; material 
properties are predicted minimums. The main findings relating to component assessments 
were: eleven components did not meet verification criteria and of these three had failure 
probabilities of an order of magnitude less than others. Nozzle failures are a dominant factor 
in reducing structural criteria and that is a result of process control and contamination not 
structural design deficiencies. The major findings related to structural reliability were: a 
comparison of the SSME to The J-2 indicated the emanation rate of UCR’s was similar and 
failure rate trends of both engines were similar with reliability expected to improve 
substantially with increased firing time. As of March 30, 1980 the probability of a structural 
failure of an STS-1 engine during a mission resulting in loss of life or mission was 0.05. 
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In the activity associated with the 1973 fracture mechanics plan, 150 welds were 
identified as “fracture critical”. They were implemented based on NDE improvements as 
opposed to redesign [Rocketdyne Presentation, 1989]. Prior to 51 L, welds were selectively 
assessed. After 51 L, the Critical Items List (CIL) assessment for welds was expanded to 
identify all critical welds. The idea was to prepare rationale for retention for all welds prior to 
flight, identify and implement corrective action as required, and establish a weld data base for 
rapid screening of future weld issues. At that time, the material data base contained 1150 
pages of design properties. Forty-three percent of these were predicted minimums with some 
unverifiable sources, extrapolations, and empirical relationships. The material data base was 
upgraded to include 26 SSME materials tested in 8500 tests with 1400 in high pressure 
hydrogen. In addition, the fracture mechanics data base was expanded including weld defect 
testing. 

During the weld assessment [Rocketdyne Presentation, 1989], the FMEA/CIL weld 
statistics included 3,165 welds. Initially, there were about 2000 welds operating at yield 
conditions and this condition resulted in failures during hot fire testing. The system was 
sensitive to manufacturing tolerances resulting in eccentricities and misalignments in weld 
offsets. As can be seen in the illustration in Figure 16-7 below, there were weld mismatches 
in duct joints. Wax molds were required for each weld to determine the exact geometry for 
structural lifetime assessments. 

A total weld count was undertaken on the SSME Block I configuration and there were 
23,055 welds; 10,698 welds were made by Prattt & Whitney Rocketdyne and 12,357 made by 
suppliers where 12,000 of these were resistant spot welds on metallic TPS. [Zimmerman, 
2010] A weld comparison of the SSME Phase II configuration (1988) to the presently flying 
Block II configuration shows that over 1000 welds have been eliminated from the engine in 
the combustion devices and the turbopump components. [Benefield, 2010] 

Although there were no fracture mechanics requirements and material properties were 
predicted minimum values in the baseline design, material properties have since been 
established through laboratory and hot fire testing. The weld joints margin and reliability have 
been increased by improvements in weld processing, verification and inspection, analytical 
assessment, design, hot fire measurement, and materials testing. 
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Figure 16-7. Weld Offset Mismatch 


SSME Fatigue and Fracture LOX Post Failures 

During the development of the SSME there were five engine failures caused by high 
cycle fatigue (HCF) of LOX posts in the main injector assembly. During inspection of all other 
injectors, there were an additional two found with cracked LOX posts. Shown in Figure 16-8 
below are the power head, main injector, and turbo-pump assemblies. 
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Transfer Duct 
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te 


Secondary 
Face Plate 


Figure 16-8. Power Head, Main Injector, and Turbo-pump Assemblies 


There are 600 LOX posts in the injector that transport LOX to the primary face plate of 
the injector. The HCF failures were caused by static stress (thermal and pressure) and 
dynamic stress i.e., vortex shedding about the posts. About 70% of the hot gas comes from 
the fuel side while 30% comes from the oxidizer side [Pelaccio, et. al, 1984]. The hot gas 
from the fuel turbine swirls as it goes through an 180° turn and then abruptly enters the three 
tube transfer duct, see Figure 16-8. This highly energetic, non-uniform, separated, and 
turbulent flow then impinges on the LOX posts. The failures resulted from the 70% hot gas 
flow from the fuel side and were in the regions indicated by the circles 1 and 2. 

Shown in Figure 16-9 are failed LOX posts from the first incident (Engine E0002). On 
the left side of the figure, the deformation due to loading can be seen and on the right side, 
the post burn out can be seen as viewed looking at the primary face plate. 



Figure 16-9. Lox Posts Failures (Engine E0002) 
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Initially cracking occurred in the threads of the LOX posts tips as shown in Figure 16- 
10. Once there was a through crack, high pressure LOX flowed into the fuei region of the post 
causing a fire in the LOX post. When the post burned through, it allowed LOX flow into the 
fuei rich region between the secondary and primary face plates of the injector causing 
burning of other LOX posts between the face piates. The region of the failure is shown in 
Figure 16-8 by circle 1 . 



Thread Crack Region 


Region of LOX and Hot Gas 
Mixing and Burning 


Figure 16-10. LOX Post Failure Mechanism 


LOX post failures as described above were on: Engine E0002, 3/31/78; Engine E0005, 
6/5/78; and Engine E2004, 7/23/80. [Flopson, August 1980] After Engine E0005 failure, flow 
shields were added, but with a different injector. After testing cracked shields were found but 
no burn-throughs. The next engine with flow shields was Engine E2004. The purpose of the 
flow shields was to divert the flow and carry some of the load. However, posts still cracked 
and burned but around the side of the injector where there were no shieids, see Figure 16-11. 



Figure 16-11. Engine E2004 Injector Failure 
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Locations of LOX failures on engines E0002, E0005, and E2004 are shown in 
Figure 16-12. 



Figure 16 - 12 . LOX Post Failure Pattern 


In order to continue engine development testing, additional modifications were made 
to the injector. The LOX posts were made of 31 6L Gres steel and for engine E2108 the 
material of the tips of the posts was changed to Haynes 188. In addition, flow shields were 
put on all injector posts around the outside circumference of the injector. In the test of engine 
E2108 (7/15/81) [Hopson, July, 1981] and engine E0110 (9/2/81) [Hopson, September, 

1981], LOX posts again failed due to HCF. However, these cracks occurred at the top of the 
posts in the inertial weld region in the vicinity of the interpropellant plate, see Figure 16-8, 
circle 2. LOX flowed through the cracks into the region between the interpropellant plate and 
the secondary face plate causing a fire. It is thought that the E2108 failure resulted from a 
more severe (unanticipated) flow environment in going from RPL to FPL and from 
modifications to the fuel turbopump to achieve FPL. The LOX posts were then redesigned for 
the more severe environment. In the case of the subsequent engine E01 10 failure, inspection 
of some of the undamaged posts revealed manufacturing defects in the inertia weld even 
though there had been pretest inspections. Inspection procedures were improved to mitigate 
future failures. Eventually, all LOX post material was changed to Haynes 188. The changes 
made to the injector assembly resulted in a reduction of the engine Isp of about 1 .5 seconds 
(600 pound payload reduction). 

In order to increase margin and performance while improving safety and reliability, 
efforts were taken to redesign the hot gas flow path on the fuel side of the hot gas manifold. 
The three tube transfer duct was changed to a two tube transfer duct with an increase in area 
of 30%; increased the turnaround duct exit area by 68.5%; and increased the fishbowl cross- 
sectional area 75.3%. These increased cross-sectional areas have the effect of reducing the 
dynamic pressure (V 2 pV^) and thus the static and dynamic flow loads. Then inlet and outlet 
regions of the tubes were rounded. The transfer ducts were flared into the fuel preburner 
housing and main injector housing. In addition, contoured turning vanes were used to make 
the flow into the transfer ducts from the fuel turbine more uniform and decrease the fuel 
turbine exit pressure gradient. The effect of these changes was to make the flow more 
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uniform [Pelaccio, et. al., 1984]. In the two tube transfer duct design 72 welds were 
eliminated and there were 52 fewer detailed parts. This lead to a 40% cost reduction in 
comparison to the three tube system [Jue, 1997]. 

Shown in Figure 16-13, are blended pressure contours of the three tube and two tube 
transfer duct configurations obtained from CFD computations [Ames Research Center, 2000]. 
It can be seen that the flow of the two duct system is more uniform than the three duct 
system, thus reducing loads and flow losses. 



Shown in Figure 16-14 is a comparison of the circumferential total pressure distribution 
of the three tube and two tube transfer ducts. It can be seen that the two tube system is 
significantly more uniform than the three tube system. 
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CMICUWrUltNTlAi tOCATIOM 

Figure 16-14. Total Pressure Variation Downstream of the Turnaround Duct 180^-Turn 


In the initial development of the SSME the severity of the flow environments in the hot 
gas manifoid were not anticipated. There were no adequate requirements regarding flow 
static and dynamic environments or effects of flow uniformity in the design of the gas path or 
injector. The consequences were faiiures of five engine injectors. In addition, there were two 
distinct types of failures. Extensive measurements were made in hot fire tests as weil as 
scaie modei tests to finally understand the flow environment and design out failure 
mechanisms. Subsequently, this configuration became the baseline and was certified for 
flight. 


This configuration was designated Block I and was first fiown on the STS-70 flight in 
Juiy 1995. The SSME has been further upgraded and the changes describe herein are in 
those upgraded engines. 


4000 Hz LOX Splitter Vane Problem 

During development testing of the SSME, the power ievels of the engines were 
increased incrementaiiy over time to assess the overali performance and condition of the 
hardware as the power levei increased. When the power ievel was increased to109% 
acceierometers on the gimbai bearing of engine E2025 recorded high vibration ievels that 
were close to 100 g’s RMS at a frequency of 4000Hz, [Jones, et, al., 1994]. The source of the 
vibration was traced to LOX inlet/tee location on the SSME Powerhead, see Figure 16-15. 
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Gimbal Bearing 



Figure 16-15. Gimbal Bearing, LOX Inlet/Tee, and Splitter Vane 


The E2025 engine hardware was examined and there was no evidence of damage. A 
review of data from 22 engines and 14 power heads revealed that only engines tested at 
power levels above 100% (and not all of them) had the 4000Hz vibration. Inspection of the 
hardware revealed that it was within manufacturing tolerances. However, there was cracking 
on one vane near the outer shell of the tee on engine E21 1 6 and on engine E0005B both 
vanes were cracked. 

Simultaneously, structural and CFD modeling, water flow and LN 2 tests, and careful 
examination of the hot fire vibration data revealed vortex shedding from the LOX inlet Tee’s 
splitter vanes’ blunt trailing edge at a frequency of 4000Hz. [O’Connor, et. al., 1988] It was 
determined that this frequency tuned with the vane’s first torsional mode frequency resulting 
in high vibration levels. While tuning is the most significant factor, the high amplitudes were 
the result of the flow’s high dynamic pressure (%pV^) of about 275 psi. 

To eliminate the high vibration levels two distinct changes were made to the hardware. 
One change was to asymmetrically bevel the trailing edge of the vane to suppress the vortex 
shedding. The second change was to scallop the leading edge of the vane to shift the 
torsional mode frequency higher and out of the operational range, see Figure 16-16. It also 
reduced the turbulence induced background noise. 
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Figure 16-16. 4000Hz Splitter Vane Fixes 


These changes were developed after extensive analysis and testing and were verified 
by water flow testing. The bevel at the vane’s trailing edge completely eliminated the vortex 
shedding source. The inlet vane change was made in order to provide an added margin of 
safety. These fixes were eventually certified on hot fire testing and all engines were 
appropriately modified. It was first fiown on STS-26 in September 1988. Both 4000 Hz 
changes described above were first implemented on E0212. Engine E0212 (which was 
originaily named E2025) provides a direct comparison, with and without the 4000 Hz 
modification, and is shown in Figure 16-17. This is the gimbai bearing acceierometer 
measurement and it dramaticaliy demonstrates the effectiveness of the fix. 
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Figure 16-17. 4000 Hz Eliminated 


The 4000Hz LOX splitter vane is a situation where the hardware was manufactured 
and inspected and met design specifications. However, this falls into a category of an 
unknown/unknown, since requirements were not anticipated to adequately design the splitter 
vane system. As the power level of the engine increased the vortex shedding frequency 
tuned with the vane first torsional mode frequency along with the condition of a high dynamic 
pressure resulting in vane cracking. This failure was caught in the act before it consumed any 
engines. 


Additional SSME Design and Operational Problems 

One SSME Subsystem is shown on Figure 16-18 as an example of the historical data 
available. 
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Figure 16-18. Development Problems of the SSME Alternate High Pressure LOX 

Turbopump 


Super Lightweight External Tank 

The requirements for the Space Shuttle to launch and service the International Space 
Station (ISS) resulted in the need to increase the Shuttle ascent performance. The Shuttle 
had been flying several years and was basically a fixed configuration. Therefore the major 
approach open for performance increase was a weight reduction program of the major 
components of the Shuttle. The External Tank was a prime target for mass reduction, since a 
one pound tank weight reduction produced a one pound performance increase. Figure 16-19 
illustrates that by changing the material of the tank to aluminum lithium and changing its 
construction to orthogrid while maintaining its external configuration and tank volume saved 
7,500 pounds of weight and resulted In a payload increase of 7,500 pounds. To accomplish 
this dramatic change, a reverification of the structure and the fracture mechanics program 
was required. [Presentation by Neil Otte, Ryan’s working papers] Also the manufacturing 
process and the weld repair process had to be changed and verified. Protoflight testing of the 
hydrogen tank in conjunction with proof test was an additional complication that required 
each tank built to have the protoflight test to insure the tank had adequate buckling margins. 
The lesson Is clear- changing requirements during operations of a program adds additional 
risks and cost. 
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Achieving High Inclination Space Station Orbit 


Higher performance requirement of the ISS orbit was 
equivalent to 13,500 lbs payload hit for Shuttle. 


Super Light Weight Tank (SLWT) introduced, providing 
7,500 lbs payload gain. 


-Welding / weld repair 
-Orthogrid design 

- Fracture properties 

- Verification 


Lesson from SLWT Program 
Don't parallel development and 
manufac taring. 

Develop and then manufacture. 


• Additional payload was achieved through systems and 
orbiter improvements 


Changing requirements during Operations phase J_ 

creates major impacts. 

Figure 16-19. Impact of ISS Orbit Requirements on Externai Tank 
A key message from Lesson 16 is: 

High Performance Requirements Cause 


Push Back on Requirements and Strive to Achieve Robustness. 


Lesson 17: Designing for The -iiities and Cost 

The -iiities and Cost Must Be On the Design Tabie If We Are To Be Successful 

Challenge Requirements and Constraints 

Penetrate Competing Concepts with Sufficient Fideiity 

Seiect the Right Concept 


High Power Density 
High Sensitivity 
Unwanted Interactions 


which result in 


Lower Margins 
Higher Risk 
Higher Cost 
Operational Complexity 




The success of a launch system is measured not only by its physicai performance 
parameters such as how much payioad it can lift to orbit, but by its reiiabiiity, its operabiiity, 
how much it costs, and numerous other attributes. A successfui system must be designed 
from the start for these “-ilities” and costs as well as for physical performance. In order to do 
this, the designer must be provided functionai reiationships that connect the design variables 
available to him/her with how they affect vehicle’s future operation — its -ilities and costs. We 
call this “putting the -ilities and cost on the design table” (or more currently, “on the CAD 
system”). The -ilities and costs can then be part of the system optimization along with 
physical performance. 

Examples 

• Space Shuttle Day of Launch l-Load Update (DOLILU) 

• Designing Considering the Totai Life Cycle 

• How We Previously Designed for the -iiities and Cost 

• How We Shouid Design for the -ilities and Cost 

We wiii first iook at the Shuttie Day of Launch l-Load Update process as an exampie of 
operationai compiexity not foreseen in the initiai design, then compare how we have 
designed for the -ilities and cost in the past with how we should design for them in the future. 

Shuttle Day of Launch l-Load Update 

Wind biasing as a means of reducing structural load was discussed in Lesson 6 on the 
Balancing Act. There we noted that the Shuttie was intended to be designed with enough 
structurai strength to ailow iaunch using a trajectory biased for the monthiy mean wind. 
Because of the aerodynamic anomaly described in Lesson 4, the Shuttle in fact wasn’t strong 
enough to be launched with monthly mean biasing, but required biasing for the winds 
measured on the day of launch. A Day of Launch l-Load Update (DOLILU) process was 
required, which entaiied significant operational complexity and expense. Wind biasing 
involves calculating the guidance parameters based on the bias wind, and ioading them into 
the fiight computer. With monthiy mean biasing, this process can be accompiished and 
verified weii ahead of iaunch day, but with day-of-iaunch wind biasing, all this must be done 
in a short time span based on winds measured a few hours prior to launch. [Norbraten, 1992] 

Figure 1 7-1 shows some exampie elements of the DOLILU process for Shuttle. At 
several times prior to launch, balloons are used to measure winds and atmospheric 
parameters. The wind measured at L minus 3:45 hours is smoothed and used to bias the 
first-stage guidance commands so that if the vehicie in fiight shouid experience that same 
wind, there would be no wind-induced ioads. In actuality, the wind wili change between the 
time the baiioon measures it and the vehicle flies through it, but biasing to the balloon- 
measured wind wiii minimize the wind-induced load. The biased first-stage guidance 
commands that have been generated must be verified, approved, and then ioaded into the 
flight computer prior to launch. The trajectory command set is calied an l-load. 
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Example Elements of D ay of Launch l-Load Update (DOLILU) Process 
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Figure 17-1. Elements of Day of Launch l-Load Update (DOLILU) Process 

The biased trajectory profile must be assessed to ensure that when the vehicle flies 
that profile, the loads will not exceed the structural capability. This requires taking into 
account the many vehicle parameter variations and the variability of the wind between the 
time of balloon measurement and launch. These variations are combined statistically as 
“knock-down” factors on the structural capability to produce load indicator boundaries called 
Q-planes as a function of altitude. The simulated response of the vehicle using the l-load 
must lie within these boundaries; otherwise, the launch is no-go. An additional Q-plane 
check is made using the wind measured by a subsequent balloon closer to launch (L minus 
2:00 hours). There is sufficient time before launch to make this verification check, but not to 
create an updated l-load set. 

Figure 17-2 shows some of the process, with the balloon releases indicated by stars 
along the timeline leading up to launch (L-0). Wind data from the L-3:45 balloon is combined 
with other information to create the l-load for the onboard flight computers. For redundancy, 
two organizations independently generate l-load input in parallel, which must compare 
identically before this flight-critical item is loaded onto the flight computers. The load is them 
read back to the ground systems for confirmation. 
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Figure 17-2. Shuttle Day of Launch l-Load Update Data Flow and Timeline 

“Some graphics on Figures 17-1 and 17-2 are from a presentation on DOLiLU Operations by Brian Harrington, USA, Aprii 20, 2005. 


Although the process has been streamlined from earlier DOLILU approaches, it is 
clear that the Day of Launch l-Load process requires significant operational effort and 
complexity. Because the Shuttle is not structurally robust, the program has to pay the 
operational cost of this process to safely achieve a reasonable launch probability. This Is an 
example of operational complexity not in the original plan. 

Design Considering the Total Life Cycle 

In the past we typically focused our design activities on the physical performance of 
the vehicle, then assessed the design for operability, reliability, and cost. What is needed is 
to design for the total life cycle, which means designing not only for performance, but also 
(and concurrently) designing for the -llltles and cost. 

Figure 17-3 shows a listing of typical metrics of design — those attributes that measure 
how the system performs, operates, and costs. We can collect them into three categories: 
(1) Performance, which describes how the physical system behaves, (2) The-ilities, which 
includes attributes such as safety, reliability, manufacturability, operability, etc., and (3) 

Costs, which includes various measures of cost. Because our systems are highly 
interconnected, changing one of these attributes typically will affect the others, within the 
same category as well as in the other categories. 
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INTERACTING METRICS OF DESIGN (Typical) 
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Figure 17-3. Interacting Metrics of Design 


In order to obtain a balanced design that meets -ilities and cost goals as well as 
performance, we must take a systems design/optimization approach across all aspects of the 
life cycle (Figure 17-4). 

* In order to meet operability, cost, and other goals in addition to 
performance, we must take a systems design/optimization approach 
across all aspects of the life cycle. 

•The goal: While achieving necessary safety, obtain the best balance 
among performance, the -ilities, and cost. 
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* In order to meet operability, cost, and other goals in addition to 
performance, we must take a systems design/optimization approach 
across all aspects of the life cycle. 

♦ The goal: While achieving necessary safety, obtain the best balance 
among performance, the -ilities, and cost. 



Figure 17-4. Design Considering Totai Life Cycie 


How We Previously Designed for the -ilities and Cost 

The previous design approach is iiiustrated in Figure 17-5, showing the initiai concept 
being designed iteratively for performance, then subsequent assessments and adjustments 
being made for -ilities and cost. The -iiities and costs are harder to predict than are 
measures of physical performance. This process is iterative and sequential, and produces a 
less than ideal design. 
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Figure 17-5. Previous Design Approach 


How We Should Design for the -ilities and Cost 

What is needed is a comprehensive process that addresses downstream -ilities and 
costs concurrently with performance. As discussed earlier, we describe this as “putting - 
ilities and costs on the design table”. In order to do this, we need to have functional 
relationships that provide the designer with measures of costs, operability, reiiabiiity, 
manufacturability, etc., as a function of the design parameters that the designer can choose 
(Figure 17-6). Another design process improvement represented on the figure is integrated 
system anaiysis that where possibie unifies anaiysis of subsystems, design functions, and 
discipiine functions that are currently compartmentalized. 
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DESIRED DESIGN APPROACH 

Concurrent, Comprehensive 



To optimize the total system we need functional relationships from 
the -ilities and costs related back to the design parameters. 


Figure 17-6. Desired Design Approach 


Obtaining functional relationships between the -ilities/costs and design parameters 
would enable an ideal concept assessment process illustrated notionally in Figure 17-7. Here 
the different concepts or designs are mapped into an attribute space (represented 
simplistically on the figure as three-dimensional) that includes all metrics. Comparisons and 
directions for improvement would be direct, enabling unified design for the total life cycle. 



Concept A 


Design Solutions 


Figure 17-7. Functional Relationships Enable Design Solutions for Multiple Concepts 
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Obtaining the functional relationships needed for the above process is a challenge- 
only a few are currently available. Based on historical or other data, people in all technical 
areas should work to identify functional relationships that connect the -ilities and cost to 
design variables, thus working toward making the -ilities and cost concurrent “design-to” 
attributes along with performance. 

® A key message from Lesson 17 is: 

Work toward making the -ilities and cost concurrent “design-to” attributes 
along with performance. 


Principle VII: Testing and Verification Have an Essential Role in 
Development 

Testing and verification are central activities in the development process. Their 
importance is reflected in the large proportion of project cost that is dedicated to testing and 
verification activities. This principle will be addressed in the following lessons: 

18. Hardware and Its Data Have the Answers 

19. Can Test Now or You Will Test Later 

20. Independent Analysis, Test, and Design Keys To Success 

21. Aii Analyses and Tests Are Limited 

22. Scaiing Is a Major Issue 


Lesson 18: Hardware and the Data Have the Answers 

® Read The Hardware and Its Data -They Have The Answers 
Eii Don’t rationalize what is seen 
Eii Look for the hidden message 

The real system is the hardware and software — it is not analysis models or even our 
mental models of the system. We must look to the actual hardware and software for answers 
to the actual system behavior. 

In developing an engineer’s capabilities, there is no substitute for experience with the 
actual hardware. Hardware experience can be acquired as the hardware is being 
manufactured and assembled, and during testing — development tests, qualification tests, 
certification tests, hardware-in-the-loop simulations, etc. — as well as flight experience. 
Persons working the design/development process should take every opportunity to gain 
hardware experience, to understand the reality of the actual system. 
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Hardware inspection observations and data acquired during test and flight are keys to 
understanding. There is usually more information there than first meets the eye. Plow the 
data deeply to extract the message. If the data doesn’t correspond to your expectations, the 
initial reaction often is to assume it is bad data. Resist that reaction — the data is usually 
valid, and it contains a message about the real system. Look for the hidden message and 
don’t rationalize away what is seen. 

Examples: 

• 51 -L Challenger Failure 

• Hubble Space Telescope Mirror Aberration 

• X-33 Liquid Hydrogen Fuel Tank Failure 

51 -L Challenger Failure 

The failure of the Shuttle on Mission 51 -L in 1986 provides an example of the need to 
intently focus on what the hardware and data is telling us, and not discount anomalies that 
may be precursors to failures. The 51 -L failure and its causes have been extensively 
documented, and will not be repeated here except to highlight some perspectives relating to 
the lesson at hand. [Rogers, 1986] 

The original design of the SRM field joint had some inherent flaws that were not 
initially apparent. When the SRM was ignited, the pressure increase caused rapidly-opening 
deflections at the joint sealing surfaces (Figure 18-1). The sealing surfaces at both the 
primary and secondary 0-ring seals exhibited this characteristic, and although the secondary 
deflection was smaller than the primary, the two seals did not provide independent 
redundancy. Putty was applied as a thermal barrier between the facing surfaces of the 
mated segment insulation. As the segments were joined during assembly and the seals were 
leak checked, trapped air often caused blow-holes in the putty that created pathways to the 
joint for the combustion gas. Depending on the extent of the pathways, the response of the 
specific joint and 0-rings, and other variables, the hot combustion gas could impinge on the 
0-rings and cause heat-affected areas and erosion. 
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SRM 3D Solid Element Model 


Joint Gap Deflections 



U-J-J 
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Unsymmetrical stiffness resulted in gap 
deflection under pressurization 


Dynamic response during pressurization almost 
doubles the gap dimension at the primary 0-ring 


Figure 18-1. STS 51 -L SRM Field Joint and Gap Deflections 


There had been several occurrences of SRM joint 0-ring distress in flights previous to 
Mission 51 -L, where hot gas from SRM combustion had penetrated through breaches in the 
putty between the segments and impinged on the 0-rings. These anomalies were assessed, 
but as they recurred on subsequent flights, they tended to be rationalized as being within the 
experience base. This is an example of “normalizing the deviances” and not taking action on 
impending problems. As a member of the Investigating commission, J. R. Thompson 
commented, “It was winking at us.” 

Figure 18-2 is taken from the final report of the commission on the Challenger 
accident. It was developed by commission staff members to summarize the correlation of O- 
ring damage experience with temperature. The top display in the figure plots the number of 
0-ring distress incidents versus temperature. By themselves, these data did not indicate a 
clear correlation of distress with temperature. But when data from flights with no distress is 
added, as in the bottom display, a different picture emerges, and the temperature correlation 
is more evident. The lesson is to consider aN information when making decisions. 
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Engineers must consider aii the data in the decision making process. 


Figure 18 - 2 . SRM Field Joint Flight Data - Thermal Distress Incidents vs. Temperature 


Most major failures have more than a single cause, and this was the situation for 51 -L. 
The gap at the clevis-tang joint opened when the SRM ignited and pressurized the case, 
exceeding the ability of the primary and secondary 0-rings to resiliently respond at cold 
temperatures and maintain the joint seal. In addition, there were factors that contributed to 
the failure of that specific SRM joint. Although it is not considered good design practice to 
rely on pressure to actuate O-ring seals, pressure going around and under the 0-rings had 
most likely aided the material resiliency to seal most SRM joints. The O-ring groove 
tolerances on the SRMs allowed the possibility that both sides of the O-ring could be in 
contact with the groove, which would have hindered pressure actuation. Furthermore, the 
relative diameters of the tang and clevis were a factor. When the SRM cases are reused and 
proof tested, their diameters undergo a slight permanent change. There had been several 
reuses of the tang-side case on the joint that failed on 51 -L, making it likely that the tang 
surface and clevis surface were In contact, pressing the 0-rlng into the groove and reducing 
the likelihood of pressure actuation assistance. (Figure 18-3). The question should have 
been “What is the real hardware doing?” instead of a reliance on idealized concepts or 
models. 
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a) Maximum 0-Ring (Dia. .2985) b) Nominai 0-Ring (Dia. 28 In.) 

Minimum Groove Size Maximum Groove 


0-Ring Tolerance Stack-up 




1 . Inside diameter of case tang increases 
with reuse; could result in surface to surface 
contact with clevis. 

2. 0-ring tolerance stack-up shown in 
figures a) andb). 

3. With tolerance stack-up in figure a), and 
su rface-to-su rf ace contact between 
tang and clevis interface; 0-ring unable 
to pressure activate. 

4. 0-ring was inelastic due to low 
temperatu re, precluding sealing. 

5. EitherS, or 4, or the combination has 
high potential forjointfailure. 


Original Field Joint 


Redesigned joint eiiminated these conditions 


Figure 18-3. STS 51 -L Field Joint - 0-Ring / Groove Tolerance Effects 


Redesign of the SRM joint following the accident corrected its various shortcomings, 
and produced a design that has multiple layers of protection against a joint breach. [Perry, 
1989] These improvements include a tang/clevis capture feature that greatly reduces gap 
opening at pressurization, improved groove tolerances, better sealing checks, sealed 
insulation, joint heaters, and better assembly procedures. (Figure 18-4). The redesign has 
flown successfully ever since, with no indications of seal problems. 
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Hubble Space Telescope Mirror Aberration 

The Hubble telescope, see Figure 18-5, was launched in April 1990 on Space Shuttle 
Discovery (STS-31). Its weight is 24,500 lbs. and the main mirror’s diameter is 94.5 inches. 
The orbit is near circular and at an altitude of 347 miles. Its inclination is 28.5 degrees with a 
period of 96/97 minutes. 



Figure 18-5. Hubbie Space Telescope 
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After the launch it was learned that the main mirror was incorrectly ground. Efforts 
were taken to determine what could be done to fix the mirror system and how the mirror was 
incorrectly ground. A method was established to fix the telescope while in orbit, since the 
telescope was designed so that it could be serviced. So the first servicing mission took place 
in December 1993 and several instruments and other equipment were installed over 10 days, 
returning the telescope to full capability. 

During the manufacturing of the mirror there were tests to determine the shape of the 
mirror’s surface. Tests with the new “flawless and superior” reflective null corrector device 
showed the mirror’s surface to be perfect. However, during the setup of the mirror and 
reflective null corrector device, a 1 .3 mil spacing error was caused by the intentional 
placement of washers to make the reflective null corrector device match the laser reflection 
from a MBS precision metal calibration bar. So whenever the surface was measured it 
showed perfect when in fact it wasn’t. 

Other surface tests were made during manufacturing. One was with an inverse null 
corrector device and the other was a refractive null lens. Both of these indicated that 
something was amiss. However, the mirror manufacturer, Perkin-Elmer Corp., discounted 
these results in favor of the “flawless and superior” method; see reference [Allen, 1990]. 

From this experience it can be seen that, see reference [Chapman, et.al., 1997] 

1 . Ouestionable test results were not understood and they were discounted. 

2. There was no requirement for an independent check. 

3. Didn’t compare to the Eastman Kodak mirror and select the best. 

4. No system test required. 

5. NASA didn’t follow through with insight-oversight. 

X-33 Liquid Hydrogen Fuel Tank Faiiure 

Single Stage to Orbit vehicles require a very high mass fraction for performance 
efficiency in order to reach orbit. One method for achieving this structural efficiency is using 
the technology of composite cryogenic propellant tanks, which is a new technology for 
achieving the high mass fraction. The X-33 fuel tank was designed to develop and 
demonstrate this technology. The X-33 hydrogen tank failed during verification testing under 
cyrogenic conditions. The tank wall design was an inner skin of 13 composite plies with a 
layup pattern, a IV 2 inch honeycomb core for insulation, and outer skin (face sheet) of 7 plies 
as shown on Figure 18-6. 
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X-33 LH 2 Tank Failure Investigation Findings 



Figure 18-6. Geometry of Sandwich Structure of X-33 Fuei Tank 


The design approach of the outer and inner sheet over the honeycomb had problems 
during manufacturing. The process was verified using a 2 foot square panei, and then the first 
fuil panel was made. When it was taken out of the autoclave and laid on the fioor the outer 
panel delaminated. This was investigated by a speciai panei. It was realized that there was a 
iowering of the quaiities of the adhesive used to fasten the sheets to the honeycomb in the 
fuil scale article due to the extended time between adhesive appiication and autoclave cure 
(the adhesive out-time). The process was reworked. Also, everyone knew and was worried 
about cryopumping during fiight causing a failure. Therefore, the panel also recommended 
that the TRL level be reduced and that the cryogenic verification test of the flight tanks have 
speciai instrumentation to ensure no cryopumping and other potential problems. 

The program proceeded to build the two flight hydrogen tanks and brought them to 
MSFC for the cryogenic and structural loads verification tests. The articles were all 
instrumented with the speciai instrumentation including thermal and strain gauges and 
pressure gauges in the honeycomb. The first test was conducted using liquid hydrogen with 
the fiight tank pressurization system and appropriate flight-iike ioads. After the test the tank 
was drained and in the depressurization process the outer face sheet was blown off. The 
basic cause was not the expected cryopumping but was caused by the hydrogen gas 
penetrating the inner skin, due to micro cracking of the inner composite panel, filling the 
honeycomb core with liquid hydrogen. After the test, the tank was drained of liquid hydrogen, 
and the hydrogen trapped in the honeycomb warmed up and biew the outer skin off the tank 
(Figure 18-7). 
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Figure 18-7. Failed X-33 Fuel Tank 


The cause of the gas penetration into the honeycomb was micro cracking of inner face 
sheet due to the thermal strain between the outer face sheet being at ambient and the inner 
face sheet being at -420 degrees plus the stress introduced by the tank internal pressure. 
Figure 18-8 shows plots of the pressure variation in the tank and in the honeycomb at various 
locations. Notice the heavy line is the tank internal pressure actual profile during the test. The 
lighter lines are pressures at various locations in the honeycomb. Notice that the honeycomb 
pressure does not track the internal tank pressure but starts rising when the micro cracking 
starts. As the tank was drained the honeycomb pressures starting coming down to the point 
that when the internal pressure was low enough the micro cracks sealed and the honeycomb 
pressures continued to rise, until the outer skin blew off. This phenomenon was duplicated on 
small panel testing at Southern Research Institute and by LaRC engineers using analytical 
fracture analysis of composites. 
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Figure 18-8. Pressures in Faiied X-33 Fuei Tank 


The X-33 LH 2 Tank Failure Investigation findings were: 

• Scaiing of manufacturing processes is a major verification issue. 

• Adhesive out-time before autoclaving lost strength. 

• Micro-cracking of composites was not well understood before committing tank to 
design and manufacturing. 

• Design of attachments to take out the thrust load (thrust busters) is a major design and 
manufacturing chaiienge. 

• Verification of new technologies generally requires fuii scale testing. 

® A key message from Lesson 18 is: 

There is no substitute for experience with the actuai hardware. 

Look cioseiy at what it teiis you. 


Lesson 19 : Test Now or You Will Test Later 

® Testing is an essentiai eiement of the design process. 

Eii "Test what you fly, fly what you test." - Jack Bunting, Lockheed Martin 
Eii Development and verification testing is at the heart of design. 
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Eil Testing should be a building block approach, i.e., subscale and full scale, 
component and systems. 

Eil Different types of testing are needed: Development, Qualification, 

Verification, Certification, Acceptance. 

E'3 Tests are no better than the assumptions used. 

Testing is mandatory for all high performance systems. As the title of the lesson says, 
“You can test now or you will test later”. This makes the point that the initial time a product is 
operated will be first and foremost a test if adequate testing has not been accomplished 
already. In addition, no test can fully duplicate all the combined environments of operations, 
thus for most systems the first few uses are indeed development tests, since this is the first 
time all the combined environments have been experienced. This is especially true for launch 
vehicles that must traverse through a varied and complex set of natural and induced 
environments. The following discussion emphasizes some of the basic principles of testing 
and verification with the overarching principle “Testing is an essential element of the design 
process.” 

Jack Bunting of Lockheed Martin has said “Test what you fly and fly what you test.” 
Others have said; “Development and verification testing is at the heart of design.” 
Developmental testing provides understanding of the system before it is built so that those 
characteristics can be incorporated into the design, while verification testing determines if the 
as built design meets the system requirements. Testing is best accomplished using a building 
block approach so that the elements and the system as well as system interactions are 
understood. In today’s world cost restrictions are eliminating many of the building block tests 
and/or the final system tests. This places more risks on the first flights and can result in 
design changes after hardware is built which within itself Is as costly. This principle has been 
demonstrated in most space flight projects. Avionics components and mechanisms have at 
least six types of tests: development, qualification, verification, certification, assurance, and 
acceptance. Finally any test is based on a set of assumptions; therefore, no test is better than 
the assumptions used in the test hardware and the test conditions and environments. 

Types of Tests 

The following is a list of the types of tests generally used on space systems. 

1 . Development Tests 

2. Qualification Tests 

3. Certification Tests 

4. Process Assurance Tests 

5. Acceptance Tests 

6. Systems Integration and Verification Tests 

7. Flight Readiness Firing 

8. Other Tests (Flight tests, etc.) 

Development Tests are tests conducted throughout the design cycle of a project and are 
used to get basic information about the characteristics of the system, so that the design 
incorporates these characteristics and can handle the situations induced. Developmental 
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tests include wind tunnel testing, scale model dynamic testing, thermal testing, materials 
testing, component vibration testing, acoustical testing, etc. and are fundamental in 
understanding systems. Component vibration tests and thermal vacuum tests uncover design 
flaws that can be corrected before final design is completed. 

Qualification Tests are generally of flight type or flight hardware that are tested to at least 3 
sigma levels of the environments with the component carrying out certain flight type 
functions. Minor changes are easily made after these tests and if changes are required, the 
tests are generally repeated. 

Certification Tests are usually for things like liquid propulsion system engines that can be 
ground tested under flight conditions using both flight hardware and flight operational 
procedures. For example certification of the Space Shuttle Main Engines requires that two 
identical engines be tested under flight profiles and operational procedures for 20,000 
seconds. Some of the major problems experienced during certification testing will require 
hardware changes and a repeat of the certification testing or flying the engines under waivers 
and operational constraints. 

Process Assurance Tests are generally for solid rocket motors and pyrotechnic devices. 
Hardware like this is either very costly or is destroyed in the tests so lifecycle testing is not 
appropriate. The test program usually consists of a few (say 5) motors or devices before 
flight. During the operational program, a motor or device is periodically pulled from the 
manufacturing line and tested to ensure that the build process is still meeting requirements. 

Acceptance Tests are usually of avionics and mechanisms where each unit is tested when it 
comes off the production line. The tests are not of full flight duration and are at reduced 
environments. This testing is to eliminate manufacturing or infant mortality flaws. Flight liquid 
propulsion engines are tested in this manner using a short duration hot firing of the engine. At 
various times in space programs the engines attached to flight stages are ground hot fired for 
short durations to understand the interaction of the engines with the main propulsion 
systems. 

Systems Integration and Verification Tests are of many types to checkout the integrated 
system, validate analytical models and induced environments. The following is a partial list of 
integrated tests for launch vehicles. 

• Hardware integration and checkout 

• Integrated ground vibration (dynamic) tests to validate dynamic models 

• Main propulsion tests to understand the integration of engines with the main 
propulsion system elements and software. 

• Integrated avionics tests using hardware/software components. 

• Large scale wind tunnel verification testing for aero and thermal environments. 

We can also do Flight Readness Firings on the launch pad, of short duration burn time, of 
launch systems with liquid propulsion systems. This is done to check out the MRS of any 
major changes made from prior configurations. One final test program is the Flight Test 
programs of launch vehicles, where the first two or three flights are test flights that are heavily 


171 



instrumented in order to determine combined environments and interactions that are that are 
not possible to accomplish in the above discussed tests. Flight testing has uncovered many 
major problems that were not found during the above tests. The following is a discussion of 
some major tests of previous space systems. 

Examples: 

• Saturn V Dynamic Tests 

• Space Shuttle Dynamic Tests 

• Summary of Dynamic Test Impacts 

• Space Station Static and Dynamic Tests 


Saturn V Dynamic Tests 

Saturn V was dynamically tested as both scale models and full scale flight-like 
hardware. The full scale dynamic test was of the total system and of each stage of launch 
vehicle flight in free-free boundary conditions. A hydraulic bearing was developed to create a 
free-free boundary in the lateral planes. Liquid hydrogen was simulated using ping-pong 
balls. Water was used to simulate liquid oxygen. The on-pad modes were verified with the 
famous “Tennis Shoe Test” where engineers went to the top of the assembly facility and 
excited the first bending mode by pushing with their feet. Tennis shoes were worn so as not 
to damage the Command / Service Module. 

Several issues were uncovered in the free-free full scale dynamic test that included 
excessive rotational deflections of the rate gyro attachment plate (as described in Lesson 5). 
This required moving the rate gyro to smaller deflection area in the Instrument Unit (lU). 
Overall there was good correlation of all test lateral modes with analytical predictions. A table 
shown at the end of this section contains all the major findings in the dynamic tests 
conducted at MSFC. [Grimes et. al., 1979] 


Space Shuttle Dynamic Tests 

Figure 19-1 shows the Space Shuttle Orbiter being moved into the dynamic test stand 
for mating with the External Tank and the Solid Rocket Boosters. Also shown are the various 
dynamic tests conducted for Shuttle and the basic characteristics of the complex Shuttle 
configuration consisting of four bodies connected with forward and aft interface joints. This 
resulted in approximately 200 bending modes below 20 FIz. [Jewell et. al., 1980] 
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Shuttle Dynamic Tests 



• Space Shuttle Dynamic Tests 
uncovered several modeling 
problems. 

•There were four model sets 
for the dynamic tests. 

1 . Vs scale model 

2. V 4 scale model 

3. LOX Tank Modal 

4. Full Scale 

•Multi-bodies connected with 
point interfaces (struts) have 
many dynamic coupled 
bending modes. Shuttle has 
200 in the range of 0-20 Hz. 


Figure 19 - 1 . Shuttle Orbiter Being Installed Into Dynamic Test Stand 


Initially it was deemed that a full scale dynamic test was not needed and in addition 
not doing the test wouid save the program at ieast $20M. The method used to justify the test 
was based on risks and their consequences on the various discipiines that used the dynamic 
vehicle characteristics for response and stability design. Typically these disciplines are: 

1 . Control response and stability 

2. Dynamic response and loads 

3. Aeroelasticity 

4. Pogo 

Figure 19-2 illustrates how various dynamic tests increase confidence and reduce the 
flight risk for the pogo discipiine. Similar charts were developed for the other above listed 
discipiines. Combination of the four resulting risk reductions and the impact on the program 
compiexity and risk if the test was not completed, resulted in the dynamic test being justified 
and accompiished. 
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Shuttle Dynamic Tests 


fOOO CONFIDENCE 



Figure 19-2. Pogo Confidence Factor Increase with Tests 


One important test for validation of the pogo analytical model used for stability analysis 
and pogo solution design was full scale hydroelastic test of the LOX tank. This validated 
model was then combined with the overall vehicle model validated by the MVGVT. This was 
a very interesting test of the full scale LOX tank filled using water to simulate various flight 
conditions. The test configuration is shown on Figure 19-3. The first test condition was a full 
tank, and when the hydroelastic mode was excited there was basically no damping in the 
mode. This was the case for tests at lower fill levels until the tank was about two-thirds full, at 
which time the damping became the expected value. 
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Shuttle Dynamic Tests: LOX Tank Modal 




1 South lower 

2 ET-Interlonh 

3 Small air fuspension pod 

4 Large air lutpenslon pad 

5 Support ring 

6 North tower 

7 ET- LO, lank 

8 Radial shaker platform 

9 Rodlol shaker assembly 
10 Jacking frame 


TANK HYDROELASTIC 
SURVEY TEST 


Orientation of Canted 
configuration 


Figure 19-3. Shuttle LOX Tank Hydroelastic Test Configuration 


The plot of damping versus fill level on Figure 19-4 illustrates the results just 
discussed. Once the model of the test condition was vaiidated, then LOX instead of water 
was used in the anaiytical modei. The use of LOX instead of water decoupied the structure 
from the fiuid mode and no flight fix was required. The resuits iilustrate the sensitivity of 
dynamic coupiing and the need to conduct buiiding biock testing approaches. [McComas, 
1980] 
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Figure 19-4. Shuttle LOX Tank Propellant Damping 


Summary of Dynamic Test Impacts 

The following tables (Figure 19-5) summarize dynamic testing experience and its 
impacts on the projects. [Jewell et. al., 1980] [Emero, 1979] Shown in the first column is the 
test program, with the second column being the problem discovered. The hardware impacted 
is the third column and the consequence if not discovered is the last column. The first item is 
the local deflection of the Saturn V lU mentioned earlier and the potential impact of a bending 
mode control coupling instability if it had not been discovered. 
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Dynamic Testing impacts (a) 


TEST 

FRClERA^Ii 

rROILEM&DlSCDVtIttC 

HARDWARE IMPACTED 

CDHSEOUENCES IP NOT DISCOVER EO 

SATURN V 
DTV 

LOCAL flDTATlON OF THE HICHTfiYHQ 
SUWOftT PLATE. VEHICLE DVft AW C 
SHEARS AND MONENTR OEFORHEU 
SUPPORT PUTE. TREMATHMQDEl 
UNDER PREDICTED TH^SDCFLinHATIDN 
BV13& PERCENT 

THE GYROS WERE RELDCATEO TO THE 
i SOnOMDFTHESUPPOflTPLACE 
WHENE THE LOCAL ROTATION IAS 
MUCH LESS. THIS RE DUIREO WIRE 
HARHESSES OF NEW LENGTH. THE 
flight CONTROL FILTER NETRORH 
WAS REDESIGNEO 

FLIGHT CONTROL INSTABILITY RESULTING 
IN LOSS OF VEHICLE. 

MARL 

DESICH PEriCIEMCV IH THE lU 
»TAPIC PLA Tf DRM. COUFU NG 
PETIKE HI TH 1 STAPL EPkATFDHUAMD 
THE RING MODES OF THE IUf«:D- 
VIDiD A MECHANISM FOA ACDUS- 
TICAllV OAIVINC THE PLATT OflM 
ACCElEAOMETE A AGAINST THE STOPS. 

$HDHT channel STIFFENS ns WERE 
AUWI TO AS »1 QN THE PAD 
DAMPING MATERIAL AND A SOFTWARE 
miASDNAILENESS ' TEST WERt ADDED 
LATERIHTHfPflOCftAM. 

LARGS BUIDANCF FHR0RSTH4T COULD 
CAUSS LOSS OP LUNAH MISSION. 

SATURN V 
OTV 

DESIGN DEflCIENCV IH THE CfM 
INTEAFACE- THE SINGLE TDlftl ON AL 
SWAT GRACE PRODUCED UNPRE^ 
DICTEG HIGH CDUPLIHG BETHEEH 
COMMAND MODULE rDHSIONAl 
MOTiaMAND S^tC ENGINE 
DEPLECriDM. 

A[3DltlONALTDRSIOi|AL SWAVIRACES 
WERE lf^TALAEI» ON AS SB1 ON THE 
PAO. SUBSiaUEHTLV.THEF I 
ENGINES WE RE HEUfllFtCED TO 
REDUEt LOADS AT ENGINE CUTOFf 
AN ENGINE PRECANT PROGRAM WAS 
IMPLEMtNTED TO HAINTAIIf ST^UC- 
1 11 RAl rNTEQRITV IH CASE OF ENGINE 

DUTr 

STRUCTURAL FAILURE OF THE GSM 

Interface with lqes op vehicle ano 

POSSIGLE CREW LOSS. 

SATURN V 
DTV 

DESIGN DEFICIENCY IN THESfS 
TANK SUPPORTS. MNEKPECTTDtV 
HIGH LOCAL R ESOMANT COUPLING 
WAS DETECTED BETWEEN SPS TANA 
AND BULKHEAD SUPPORT. 

THE UPPER SUPPORT CRAGKETFOR 
THE St>S TANKS WAS REDESIENfO TU 
ELIWifATE A STRONG TANK CANTI- 
LEVER MUOE. 

HARDWARE FAILURE RESULTING IN 
LQSSDFM^IDN ANOFOSSIPLE 
CREW LOSS. 

SATURN V 
OTV 

HIGH IDK AND FUEL DYNAMIC TANK 
OOTTOmNNESSuNES. these pres- 
SURES WERE UNDER PREDICTED IV 
AFACTOROf Z. THE SIGNIFICANCE 
QFTHESEPHESSUHESWASNOT 
UNDERSTDOD UNTIL AFTER POGD 
aCCUHNEDON ASSI2. 

THE HIGHER TANK PRESSURES %^H~ 
TflrBUHUTD THESlCPOSn. 

potential ids of VEKICLf AND 
tftEWOUETDPUDO. 

1 


177 




Dynamic Testing Impacts (b) 


TEST 

PflDCRAU 

FnOBLfMS DISC OV EH ED 

HAROWAflE MPACTEO 

CQNSEOUENCESIF NOT DISCUVEREU 

SATt^HH V 
OTV 

HICH It HZS-ICCROSStlAMMDOE 
DArpit. OTV DATA SNOWED THAT 
AD ACCUMtflATDR SHOULD DOT 1C 
USED DU THE INIDARD EUGIME. 

elihihattoh of a planned INIOARD 
ENGtNE ACCOMOLATDR. 

Potential loss of vehicle and crew 
Due topdgo between an is hz accu- 
hulatdrmode AND the 11 HZ CROSS- 
IE AM MODE. 

SAFUflHV 

SHORT 

STACK 

STH OH B mCH/i. OH GITUOIH AL 
COUPUHG CAUSED SY THE LUNAR 
MQDULE lUCHEASfO THE S-1C 
POCO GAIN r ACTDH BY IS PERCEHt. 
THIS EFFECT COUPLED WITH THE 
TANK PHfSSUR E UNO E HPH 1 Dl CTIQ N 
WAS THE DEASCN AS-SIE POGD 
WAS NOT PREDICTtO. 

DEmOPMENT AND INSTALL AltON OF 
THE OUTBOARD LOX ACCUMULATORS. 

FG E Q IH$T ABli IT V WITH potential LQSS 
DF VEHICLE AND CREW. 

SATUflJl V 
HlNkA/C 

THE MECHANISM THIGCIHIMG S-ll 
POeO WAS DEFINED. COUPLING 
OET4KEN THE FIRST FOUR LOR TANK 
N YDROEL ASTIC WOOES WHEN THEY 
COALESCED WITH THE Tl HC 
CENTER EKCINE CAOSSEEAMMODE 
FRDDUCEO THE PDGOINSfAEILITIES. 

AM ACCUWUL ATDR WAS DE VEIDPED 
FDR THE CENTER ENGINE. A BACK - 
UP CUTOFF SYSTEM WAS ALSO 
DEVELOPED. THE AC CUR ATE MATH 
WOOELOEVEl OPED DURING THIS 
TEST supported EXTENSIVE THRUST 
STRUCTURE DESIGN MODS ON SUB-' 
SEOUENT VEHICLES WITHOUT FURTHER 
TESTING. 

PODO INSTABILITV WITHPOTEHTIAl LOSS 
OF VEHICLE and CREW. 

SKFLAH 
ATN TfST 

SrOGNG CflDSSCOUPLINC BETWEEN 
LONGITUDINAL AND LATERAL WQTIONS 
INDICATED A POSIILE STRUCTURAL 
FAILURE AT $-1C CUTOFF. 

A l-S-T EHGIHE CUTOFF HAROWARE 
AND SOFTWARE MOD WAS OEVtLOPED 
TO REDUCE THE lONGITUOINAi INPUT 
TO THE ATM. HAHOWAHE REDESIGNS 
WERE LAID OUT IN EASE THEY NERf 
PROVEN NECESSARV tV FURTHER 
STUDY. 

HARDWARE FAIlUHt WITH POTENTIAL 
LOSS OF MISSION. 

SKYLAi 

MDDAl 

SURVEY 

THE STHONG CROSS EUUPlIHG IN THE 
ATW PRDVED TO »E ATTENUATED 
RATHE fl THAN AWPLIFIED BY THE WAY 
ATHCHOS COUFLINB REACTED 
THRU VEHICLE INTERFACE. 

TEST OF the TOTAL SKViAB LAUNCH 
CONFIGURATION PHOVED THE 1-2-2 
FIKWAS ADEOUATE AND THAtND 
HARDWARE CHANCES WERE REaUIRER. 

THISTESTSAVEO APDSStILE REDESIGN 
OF THE ATM IT VERIFYING STRUCTURAL 
IMTEDRITV UNDER THE 1 -Z-2 CUTOFF. 
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Dynamic Testing impacts (c) 


TEST 

EHQGilMI 

PRD&LEMS DISCOVEnED 
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SHUTTLE 
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AXIAL SSME FREOUENGIES ANO 
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SHELL OYHANHC MATH MODEL USING 
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METRIC math MODEL Of THE SSME 
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6EENSU5FECT. 

SHUTTLE 
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THf REG UN DANCY MANAGEMENT , 
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CYCLE COUNTER LEVELS WERE 
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ROUTINE WAS HOOIFIED TDIMIIIIT 
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AFTER FIRST SENSOR FAILURE 
(FORSTS-I FLIGHT ONLY: OTHER 
FLIGHTS WILL IE EVALUATEO.I 

P0S5IILE LOSS OF VEHICLE. 

SHUTTLE 

internal SRG PRESSURE EEFECTS 

LOAD IMPACTS WITH MINOR REIESIGH 

POTENTIAL FAILURE OF INTERFACE 

nUAHTER 

SCALE 

ON STIPE ness OVER PREOICTEO. 

OF INTERFACE lACKuP STRUCTURE. 

1 

AND LOSS OF VEHICLE. 


Figure 19-5. Dynamic Testing Impacts 


Space Station Static and Dynamic Tests 

It is a requirement that all payloads flown on the Space Shuttle must be dynamically 
tested to ensure human flight safety. Accomplishing this test for the Space Station modules 
required that there be a solid fixture to provide a very rigid attachment for the Orbiter payload 
bay attach hardware. This heavy steel fixture was anchored in 20 ft of concrete so that it 
would not move and therefore establish accurate boundary conditions for the payload. The 
test setup is shown on Figure 19-6. This fixture was applied to resolve any issues related to 
the indeterminacy of the payload attachment to the Shuttle Orbiter. It provided correct 
simulation of the boundary conditions between the payload and the Orbiter attachment. The 
tests provided data to verify dynamic models that were used in design to ensure crew safety. 
[Author’s working files] 
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Space Station Static/Dynamic Test 



Figure 19-6. Space Station Module Test Setup 
<> A key message from Lesson 19 is: 

Test what you fly. 

Fly what you test. 


Lesson 20: Independent Analysis, Test, and Design Keys 

to Success 

® Compiex systems require independent anaiysis, test, and design; this provides in- 
depth insight. 

Eii Space Systems are so complex, no one analysis or test can provide all of the 
answer. 

Eii The creativity of the human mind is the source of our solutions. Initially we 
need to hypothesize and assess various solutions. 

Eii We must be open to other insights. (Senge’s advocacy/inquiry). 

During design and development, some problems that are encountered are out of our 
experience band. This happens in situations where there are high power densities and when 
the system limits are expanded. In rocket propulsion systems, effects of high chamber 
pressures and temperatures along with reduced size (reduced weight) are examples where 
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problems can be expected. As a result, independent analyses, tests, and designs are 
needed to provide insights to avoid catastrophic events. In most cases the physics are so 
complex no one analysis or test can provide all the solutions. To achieve an understanding of 
complex situations, it takes multiple analyses, tests, and especially the creativity of the 
human mind. In this process, engineers must be open to the insights and questions of all 
participants. It takes a combination of human minds to put together these highly interactive 
complex puzzle solutions. 

Examples: 

• SSME Whirl Solution 

• SSME LOX Pump Spalled Bearings 

• SSME Main Oxidizer Valve Buzz Solution 

SSME Whirl Solution 

Both the fuel and LOX turbopumps experienced rotordynamic whirl instabilities during 
the development of the SSME. When a system is rotordynamically unstable, the shaft can 
precess in either a forward or backward direction. An example of whirl instability is shown in 
Figure 20-1. 



Figure 20-1. Turbopump Whiri 


In this figure the shaft is rotating at some required speed, i.e., synchronous frequency, 
about its center line. Simultaneously processional motion occurs, represented in this figure by 
the bent distorted shape. The rotational speed (frequency) of the bent distorted shape is the 
processional speed and it is usually at a subsynchronous frequency. For a linear system, this 
frequency is one of the system natural frequencies. The ratio of the subsynchronous to the 
synchronous frequencies depends upon the cause of the instability. Rotordynamic 
instabilities have been caused by effects of internal rotor friction, annular journal bearings, 
turbine blade Alford forces, impeller-diffuser interactions, pulsating torque, axial-radial 
coupling, etc. 
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Figure 20-2. Acceleration Power Spectrai Density (PSD) Isoplot 


Shown in Figure 20-2 is an isoplot of the output of an acceierometer on a turbopump 
where there is rotordynamic instabiiity. In this three dimensional plot the power spectral 
density (PSD) ampiitude is the vertical axis and the axes in the plane represent time and 
frequency. If there were no instability, the acceleration response wouid be only the 
synchronous frequency as shown on the right side of the figure and in addition there wouid 
not be a significant amount of noise. However, when there is rotordynamic instabiiity, in 
addition to the synchronous frequency there wiii be a subsynchronous frequency as shown 
on the ieft of the figure. As seen in Figure 20-2, the ratio of the subsynchronous frequency to 
the synchronous frequency is about 1/2. This is typical where instabilities are induced by 
effects associated with journal bearings, see reference [von Pragenau, 1982]. In journal 
bearings the flow between the rotor and stator is Couette flow and the Couette flow factor 
C=1/2 since the velocity profiie is linear. 

In the development of the SSME, the first incident of rotordynamic instability was in 
1976. The instabiiity was in the high pressure fuei turbopump. In this case the interstage seal 
was changed from a labyrinth seal to a step smooth seal along with stiffening the shaft and 
bearing carriers. The critical frequency went from about 9,500 rpm to 18,000 rpm. Thus the 
onset speed would be about 36,000 rpm. 

The SSME LOX pump first experienced rotordynamic instability in 1982. A damping 
seai bearing was implemented on the pump end. LOX is suppiied by the preburner pump 
impeiier and discharges through the pump end bearings. As a consequence of the damping 
seai bearing, the instabiiities were suppressed. In the region of the damping seai bearing, the 
stator was roughened and Couette flow no longer had a linear velocity profiie. The Couette 
flow factor was reduced moving the onset speed out of the region of operation. Although 
George von Pragenau conceived the damping seal in the mid-1970’s, it wasn’t implemented 
until 1982. The damping seai bearing was a technical breakthrough that enabled 
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rotordynamic stability in both the LOX and fuel turbopumps. It moved the instability onset 
speed out of the operating range with significant margin. 

In 1986 there was an attempt to operate the SSME at 109% power level. The speed of 
the fuel pump would be near or slightly exceed 36,000 rpm (potential onset speed). A 
production pump was built without a damping seal bearing with the thought that if there was 
instability a damping seal bearing could be added. In the initial test, the pump speed was 
36,860 rpm and there was instability. The interstage step smooth seal was replaced with a 
damping seal bearing and instability was eliminated. 

Whirl motion results in high static and dynamic loads that catastrophically impact the 
system through bearing wear and/or rubbing of the rotating assembly. This is unacceptable 
and will result in loss of hardware. Action must always be taken to eliminate whirl instabilities 
in rotating machinery. 


SSME LOX Pump Spalled Bearings 

Before the first flight of the Space Shuttle, there was spalling (pitting) of the pump end 
bearings in the SSME LOX pump. Shown in Figure 20-3 is the Rocketdyne LOX turbopump. 
The duplex bearings are shown on the pump end. 



Pump End Bearings 

Figure 20-3. Rocketdyne LOX Turbopump 


The cause of spalling was unknown. In fact, it was not known if it occurred at startup, 
steady state running, or shutdown. In addition, there were no engine failures because of 
spalling during development testing. 

It was not known if spalling was a failure mode. It was decided to put spalled bearings 
in several turbopumps and test them for 800 seconds. All the turbopumps had redline 
protection and it was thought that if there was an incident the redline protection would shut 
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the engine down before serious damage could occur. It turned out that the pumps were 
tested without an incident. 

As a consequence of these tests, spalling would not be a flight Issue and the first flight 
was successful. However, the bearings were replaced after every flight. In addition, turbine 
blades were replaced after every flight. The cost of these replacement activities was $3 
million per pump. The turbopumps that are being flown today have silicon nitride bearings 
and this is no longer a concern. 


SSME Main Oxidizer Vaive Buzz Solution 


During development testing there were two major engine failures caused by 
acoustically Induced vibrations in the vicinity of the main oxidizer valve (MOV). In addition, it 
was observed that about 20% of the engines had these vibrations without serious 
consequences. Initially It was determined that the high vibrations were coming from the MOV. 
This was perplexing since the MOV had no moving parts. Shown in Figure 20-4 
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Figure 20-4. Main Oxidizer Valve 

is a MOV pictorial cross-section on the left and on the right is a cross-sectional sketch of the 
cavity/shim region. In the valve there is a bellow spring and at the end of it is a Kel-F seal. 
The purpose of the spring and seal is to keep the MOV from leaking. Each MOV has to be 
individually adjusted to obtain the required sealing. In the figure on the right, it can be seen 
that the region in the vicinity of the tangential cavity a “gap” is formed that varies horizontally 
depending on the sealing adjustments. The LOX inlet flow to the MOV develops vortex 
shedding frequencies across the .343 inch gap thereby producing “edge tones” which are 
then tuned with the longitudinal acoustic duct mode and the tangential cavity acoustic mode. 
This tuning resulted in a “whistle” with an RMS pressure amplitude of about 165 psi and a 
fundamental frequency of about 7,300 Hz. These high pressure amplitudes vibrated the parts 
inside the valve until rubbing occurred causing a fire and significant hardware damage. A 
contributing factor to the high amplitude pressure oscillation was the 800 psi dynamic 
pressure in the LOX line (e.g. high power density). 
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Figure 20-5. MOV Vibration Test-to-Test Response 

Figure 20-5 shows data from a consecutive sequence of SSME tests. At the top are 
the MOV vibration responses, Gms . as a function of time, in the middie are the thrust profiles 
as a function of time, and at the bottom are PSD’s of the vibration for each test. Each of these 
tests were at the same power ievei, but as can be seen the vibration ievels increased from 
test to test. At the bottom of Figure 20-5, it can be seen that the vibration ievels went from 
368 to 1230 g’s. 
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Figure 20-6. MOV Inlet Pressure Fluctuations 
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Shown on Figure 20-6 is a typical PSD of the pressure fluctuations at the inlet to the 
MOV. It can be seen that overall rms level is 165psi. At 7,300 Hz. the rms value is 127psi and 
at 14,600 Hz the rms value is 78 psi. These high fluctuating pressure levels are a 
consequence of frequency tuning of the vortex shedding, longitudinal acoustic duct mode, 
and tangential acoustic cavity mode. This tuning situation is compounded by the fact that the 
amplitude of the pressure fluctuations is proportional to the dynamic pressure and it is about 
800 psi. 



Figure 20-7. Acoustical Mechanism 


Shown in Figure 20-7 is a Campbell diagram that illustrates and verifies the tuning 
mechanism. In the region where the tuning is indicated, it shows frequency results from LN 2 
flow testing of the MOV, Rossiter’s vortex shedding equation, longitudinal duct mode, and 
flange gap cavity tangential mode. All these frequencies coalesce resulting in tuning of high 
pressure fluctuations that caused the MOV high vibration levels, see reference 
[Schutzenhofer et. al., 1980]. 

The approach to eliminating these high acoustical pressure fluctuations was to put a 
shim in the flange gap cavity so as to “fill/close” the tangential cavity gap and prevent the 
vortex shedding/edge tones from being generated. Thus, the source was eliminated. 
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Figure 20-8. Effect of Fix 


Shown in Figure 20-8 is a comparison of vibration responses of the MOV with and 
without the shim. It can be seen that the g-level went from 338 g’s to 33 g’s. Thus, the 
mechanism was verified along with the shim fix. 

In rocket propulsion systems there are high power densities. This can be illustrated if a 
comparison is made between the dynamic pressures of a iaunch vehicle in fiight and the 
dynamic pressure of flow (e.g. MOV) in a rocket engine. In the flight of a launch vehicle the 
maximum dynamic pressure is about 5 to 6 psi. This is important because aii the point, 
distributed, and unsteady ioads are proportionai to the dynamic pressure. In the case of the 
MOV the dynamic pressure was 800 psi. Here too, aii the steady and unsteady ioads are 
proportional to the dynamic pressure. The consequence is: things that may usually be 
unimportant now become important. In this case, two SSME’s were lost to an otherwise 
seemingly “benign whistle” that produced MOV vibration levels as high as 1230 g’s; caused 
by tuning and high dynamic pressure. Eventuaiiy, the MOV probiem was resoived by 
independent anaiyses and component tests. 

® A key message from Lesson 20 is: 

Our history tells us that critical areas require independent parallel analyses, 
test, and design activities; along with the creativity and innovation of analysts 
and designers. 
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Lesson 21 : All Analyses and Tests are Limited 


® All analyses and tests are limited. They are based on a set of assumptions. Don't 

extrapolate beyond the assumptions. 

Eii Anaivses are iimited : boundary and initial conditions, physical 
parameters, sub-models, numerical methods, etc. 

Eii Analyses should precede tests 

Eii Tests are limited : simiiarity parameters, boundary conditions, partial test 
models, lack of combined environments, instrumentation, data 
processing, etc. 

E'3 Benchmarking anaiyses and tests is required to extrapoiate to fiight 
conditions 

E'3 Determine sensitivities with respect to key variables 

E'3 Analysis and test results should have associated uncertainties identified 

All analyses and tests are limited. They are based on assumptions and models. Don’t 
extrapolate beyond a validated set of analyses and tests. 

The level of analyses has significantly advanced due to the speed and capacity of high 
performance computers. However there are limitations due to numerical methods, sub- 
models, definition of initial and boundary conditions, physical parameters, etc. Similarly, there 
are limitations In testing, for instance: lack of ability of achieving similarity, boundary 
conditions, partial modeling, lack of combined environments, etc. Even though these 
limitations exit, the designer has to use a combination of analyses and tests to achieve the 
best balanced design. 

Initially, both the analyses and tests may be immature due to lack of definition of the 
design space. Analyses should always precede testing as a guide to test definition. After the 
test, the physics and design space will become clearer. Then the analytical modeling can be 
updated. This will lead to clarification of the design space and provide direction for additional 
testing. In complex situations there may be a series of iterations to both determine the design 
space and converge the modeling and testing, i.e. anchoring the model. 

In some cases there may not be exact similarity because of an inability to achieve 
testing in exact dynamically similar conditions; for instance, high Reynolds number flows, 
chemically reacting flows, etc. In these cases, methods have to be developed to account for 
lack of similarity. Sensitivity analyses with respect to key variables can provide insights into 
these effects and how to account for them in design. The ultimate determination in some of 
these cases is through flight testing, e.g. rocket engine plume effects. 

In both analyses and tests, uncertainty has to be determined. This can be achieved by 
comparisons to historical data bases, test, and expert opinion. 
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Examples: 

• External Tank GH 2 Diffuser 

• SSME Dynamic Environments / CFD 

External Tank GH 2 Diffuser: 

During the first test of the Space Shuttle Main Propulsion System (MPS), the 
GH 2 diffuser failed due to high cycle fatigue. Shown in Figure 21-1 is the MPS. 

The GH 2 diffuser is shown as the cylindrical object inside and at the top of the hydrogen tank. 
It promotes controlled mixing of hot incoming autogenous gas minimizing: ullage 
temperature, pressurant residuals, and gas impingement on the liquid surface during the start 
transient. The design goal is for the ullage gas to be like a piston pushing the liquid hydrogen 
out of the tank. 



Figure 21-1. Space Shuttle MPS System 


The design of the diffuser is based on the diffuser in the Saturn/Apollo S-IVB stage. 
The present configuration went through stress analysis and flow qualification testing. The 
results indicated that the diffuser had margin and was adequate for MPS testing. 

However, the diffuser was sensitive to flow induced vibrations. After 26 hours of helium 
purging and 1 .19 seconds of hot fire testing, the diffuser failed in the center of the cylinder 
with six pieces and portions of screen falling to the bottom of the LH 2 tank. Shown in Figure 
21-2 is the failed diffuser. 
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Figure 21-2. GH 2 Diffuser 


Initial analyses and testing indicated that the system was adequate. Subsequent to the 
MRS failure additional analyses and testing could not determine the failure cause. It was 
observed that a significant number of strain gages and accelerometers were on the test 
articles for the purpose of measuring response. This instrumentation dampened the response 
and all were removed except for three strain gages. In subsequent testing the response 
increased significantly and the diffuser failed in flow facility testing. Shown in Figure 21-3 (on 
the left) is the rms stress versus mass flow rate during helium flow tests. [Norquist, 1979] On 
the right side of the figure is the rms stress versus the number of cycles to failure. It can be 
seen that the rms stress is above the endurance limit of Aluminum 6061 and cyclic fatigue 
failure is imminent. 



Figure 21-3. RMS Stress for Aluminum 6061 before Fix 


The diffuser was redesigned and the .050 inch wall thickness of the aluminum was 
changed to a .085 inch wall thickness of 21-6-9 steel. In addition an inlet nozzle was used 
instead of a flat plate to reduce noise levels. The results of flow tests, shown in Figure 21-4, 
indicate that the redesigned diffuser’s rms stress was below the endurance limit. In 
subsequent MRS testing the diffuser functioned adequately. 
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Figure 21-4. RMS Stress for Steel 21-6-9 after Fix 
SSME Dynamic Environments / CFD 

During development of the SSME there were numerous fatigue probiems; many were 
the resuit of high static and dynamic environments driven by the high chamber pressure and 
exacerbated by tortuous fiow paths with protuberances and cavities. Exampies of faiiures 
inciude: LOX posts, main oxidizer valve, flow meter, splitters, high pressure fuel pump 
impeller, capacitor probe, etc. 

Prediction capabiiity in these extreme environments was limited to nonexistent. For 
example, flow analyses in the H-1 , F-1 , and J-2 engine programs were one and two 
dimensionai and the chamber pressures were: Pc = (FI-1 , 652psi; F-1 , 982psi; and J-2, 
763psi). In addition, these engines were expendabie. In comparison to the SSME, its 
chamber pressure is SlOOpsi and the engines are reusabie. The static and dynamic flow 
induced loads can increase by at ieast the ratio of the chamber pressures (e.g. factor of three 
from F-1 to SSME). 

At the beginning of the SSME program the flow analyses were mostly one and two 
dimensional. However, it became clear that knowledge of the environments needed to be 
improved. Although computational fluid mechanics (CFD) had been tried over the years, its 
lack of maturity did not support design activities. However, improved computer capacity and 
speed, advanced numericai methods, and turbulence modeling couid potentiaily enable 
application of CFD to design. In 1987 CFD was introduced into the design process with the 
goal of making it a design tool. To achieve that goai the following requirements were 
impiemented: (1) Integrate/improve the capabilities of propuision contractors, academia, CFD 
speciaiists, and government fiow anaiysts; (2) Improve CFD methods/codes as required for 
design; (3) Benchmark CFD methods/codes for engine application; and (4) Implement results 
into design process. 
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Two Stage Turbine 



Ignition Over Pressure 



RSRM Internal Flow 


Figure 21-5. Examples of Computational Flow Dynamic Results 


A consortium of CFD analysts and flow testing specialists was formed to focus 
activities on improving efficiencies of turbines, pumps, and combustion devices. Three 
respective teams were formed and about $5-6 million/year was allocated for CFD and $2-3 
mlllion/year for benchmark testing. Within a period of 4 years efficiencies in turbines and 
pumps were improved to the extent that the number of stages could be reduced. The cost 
savings for a program were $70 million for the turbine and pump stages each. 

Shown in Figure 21-5 are typical examples of CFD results. These activities support 
steady and unsteady flow loads, heat fluxes and thermal environments, and trajectory and 
performance analyses. CFD has evolved Into a significant design tool and has improved the 
fidelity and reduced the uncertainty of new design. 

While analyses and tests are critically important tools in design and development of high 
performance systems, the designer has to be aware of associated assumptions and 
limitations; including effects of uncertainty. If not thoroughly understood, misleading or 
incorrect results lead to very costly development problems, operational costs, and hardware 
redesigns. Check sensitivities; they provide indicators where there may be problem areas. 

® A key message from Lesson 21 is: 

Be aware of the assumptions and limitations of your analysis/test model. 

Don’t eat the menu! 
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Lesson 22: Scaling Is a Major Issue 


® Scaling is a major consideration. 

Eii Manufacturing process deveiopment 
E3 Scale model testing 
E3 Data anaiysis 

® Scaling is so commonly used that it sometimes is applied without critical 
examination. 

® To preclude misleading results, question and understand scaiing effects and 
the bounds of their appiicabiiity. 

Scaling is a major consideration in design, testing, and manufacturing. Scaling is used 
for many purposes, including: 

- Relating smaller test articles to full-scale hardware. 

- Relating and extrapolating test environments to flight environments. 

- Developing manufacturing processes using test articles that are 
smaller and less expensive than full-scale hardware. 

- Relating and extrapolating data bases derived from configurations 
different from the predicted flight configuration. 

Because scaling is used so commonly and frequently, it is easy to become complacent 
in its application. However, as is the case for so many aspects of the design process, scaling 
must be carefully and judiciously applied so as to understand its effects and not exceed the 
bounds of its applicability. 

Examples: 

• X-33 Fuel Tank 

• Saturn I Scale Model Dynamic Test 

X-33 Fuel Tank 

The X-33 Fuel Tank failure of Lesson 18 gives an example of a scaled manufacturing 
process that produced misleading results. The adhesive strength of the small-scale test 
panels was found to be adequate in test, but the size of the full-scale panels required a 
longer out-time for adhesive application before going to the autoclave. This longer out-time 
resulted in approximately 50% loss of adhesive strength in the full-scale hardware. 

Saturn I Scale Model Dynamic Test 

The Saturn I scale model dynamic test provides another example of unexpected 
scaling effects. It was planned to use a one-tenth scale model of the Saturn I for precursor 
dynamic tests. The small scale was chosen for expected economy and ease of testing. It 
was found that to obtain valid results, the tolerances and fasteners of elements had to be 
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proportionately scaled down. This entailed extreme accuracy of the test hardware, which 
was a challenge to produce. Only by using these scaled manufacturing tolerances could 
representative structural mode shapes and frequencies be obtained. [Grimes, 1970] 

® A key message from Lesson 22 is: 

Scaling is a major issue in design, testing, and manufacturing verification. To 
preclude misleading results, critically question and understand scaling effects, 
and apply validated scaling laws. 


Principle VIII: Anticipating and Surfacing Problems Must be 
Encouraged 

Many of the lessons cited in this report are derived from failures. What is needed is to 
find ways of precluding failures — to prevent them from happening. Three lessons on avoiding 
problems will be addressed: 

23. Must Hear and Understand All Technical and Programmatic Opinions 

24. There Are No Small Changes! 

25. Expect the Unexpected 


Lesson 23: Must Hear and Understand All Technical and 

Programmatic Opinions 

® Minority opinions are necessary and provide insight. 

Eii All our answers are incomplete, based on assumptions we select. 

Eii Different assumptions and perspectives are needed to get a more 
complete picture. 

Eii Our systems are very complex, highly interactive; therefore, we need all 
the insights we can get in order to ensure success. 

® Apply Critical Thinking and avoid normalization of deviances. 

Eii Think about how the real system will perform, and what could go wrong. 

E'3 Recognize and question model/test assumptions and deviations in data 
trends. 

As has been emphasized, space systems are exceedingly complex. Because of this 

compiexity, our understanding of the systems is aiways iimited and incomplete. 

Consequently, we must continually press to increase our understanding of the system and to 
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anticipate problems that may arise. Lesson 18 emphasized scrutinizing the hardware and its 
data in order to advance our understanding. Lesson 20 advocated independent analysis, 
test, and design as another component of understanding. This lesson addresses the 
importance of encouraging multiple viewpoints and opinions, for many perspectives are 
needed in the quest for the true composite picture of the system. 

In many cases, minority opinions can be the most valuable, as they often come from 
people who have a creative or unconventional thought process that may provide a unique 
insight. While it is sometimes inconvenient or uncomfortable to deal with minority opinions, 
they should be encouraged. They are often the best examples of the critical thinking that is 
essential to product success. 

Example: 

Wernher von Braun - Saturn I Test 

Consider the response of Wernher von Braun on a Saturn I dynamic test issue. The issue 
concerned data from the dynamic test for Saturn I which was used in control system design. 
One engineer, who was a creative individual, analyzed the data in an unconventional way, 
separating out the effects of the suspension system on the dynamic modes. Using these so- 
called corrected modes meant that the control system as designed would be unstable. 

Two weeks were allocated to study the problem. Further study revealed that the new 
modes were not real, but were a result of an artifact in the numerical analysis. At the end of 
the two-week period, a presentation was made to Dr. von Braun, showing that the mode 
shapes were good as originally analyzed; therefore, the system was stable and safe to 
launch. 


A laboratory director at the meeting complained that we had wasted two weeks “chasing 
rabbits”. Dr. von Braun’s response was, “What if he had been right? We always have time 
to get the right answer.” 


Twenty-five years later, this creative engineer who had analyzed the Saturn I dynamic 
data invented the prog ram -saving damping seal for turbomachinery. Did Dr. von Braun do 
the right thing in valuing and nurturing this kind of minority opinion and creativity? 


® A key message from Lesson 23 is: 

\Ne must listen to all technical and programmatic opinions. 


Listen 


Listen 

Listen! 


195 


Lesson 24: There are No Small Changes! 


There are no small changes. All changes occur in a system and 
therefore affect the whole system. 

The familiar saying “There are no small changes” means that all changes occur within 
a system and therefore affect the whole system, often in unexpected ways. This principle is 
sometimes caiied the Law of Unintended Consequences. 

Engineering history is replete with cases where this often-painfui iesson has been 
experienced. We will cite four such examples. 

Examples: 

• Tethered Satellite Level Wind Bolt 

• Saturn Sl-C Pogo 

• Saturn S-ll Pogo 

• External Tank Insulation Biowing Agent 

Tethered Satellite Level Wind Bolt 

The Tethered Satellite was intended to be depioyed from the Shuttle Orbiter payload 
bay on a 22 km tether, to explore numerous promising technologies that tethered systems 
might enabie. The tether was deployed and retrieved from a spool in the payioad bay 
through a levei wind mechanism simiiar to those found on some fishing reels (Figure 24-1). 
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Ltvei Wind 
Ortva Chain 



Figure 24-1. Tethered Satellite and Level Wind Mechanism 


As the first tether mission was approaching flight readiness, an anaiysis showed that a 
boit on the ievel wind mechanism did not have sufficient strength for the predicted stress. A 
change order was prepared to change the boit to one having stronger materiai. Since the 
hardware was aiready assembled, there was a concern that there might be some shifting of 
the parts when the boit was removed, so in order to make sure the threads of the new bolt 
would engage, it was made ionger as weii as stronger. 

Running a tether deployment test after the change would have caused a schedule 
impact, since the tether reel system was already in the payload assembly facility. So no 
system verification test was done after this “minor” change. 

On orbit, the Tethered Satellite began its depioyment without event, but when it 
reached 256 m, it stopped and wouid not progress farther. The ionger boit had jammed the 
level wind mechanism. While a few mission objectives were achieved by this short 
depioyment, the main objectives were not. [Branscome, 1992] 

The second Tethered Satellite mission attained 19.7 km of its pianned 20.7 km 
depioyment before the tether broke and the satellite was lost. Subsequent assessment 
attributed the faiiure to an arc from the conducting part of the tether to the deployer, severing 
the tether. The arc probabiy initiated through a pinhoie in the tether insulation. This failure 
likely was not predictable, but could fall in the category of unknowns that the experiment 
uncovered. [Szaiai, 1996] 
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While there have been some subsequent smaller tether experiments, failure of the two 
large Tethered Satellite System missions essentially resulted in this very promising 
technology being set aside, which is a significant loss. And it began with a change thought to 
be so small as to not require verification. 

There should be system verification after any change. No change can be assumed to 
be “small”. 

Saturn Sl-C Pogo 

Pogo is a vehicle longitudinal structural oscillation that is coupled with the Main 
Propulsion System and the liquid propulsion engines in a closed loop manner, which 
increases the oscillation and creates instability. It is named pogo after the classical children’s 
pogo stick. Figure 24-2 illustrates the analogy between the pogo stick on the left and a 
launch vehicle structural and MPS system combined to produce the closed loop instability. 



Figure 24-2. Pogo Oscillation Mechanism 


Saturn V had two pogo instances. The first one occurred on the second Saturn flight 
AS-502 during first stage burn. The second occurred during second stage burn on the famed 
Apollo 13 mission. The first Saturn V vehicle AS 501 had no indication of pogo. Saturn AS- 
502 had a major incidence of pogo near the end of first stage (Sl-C) burn. There were 
indications of pogo on the second stage (S-ll) burn throughout the early program flights but 
were believed to be managed and under control; however, during the Apollo 13 flight, a near 
disaster occurred during the first 120 seconds of S-ll stage burn. [Ryan, et al, 1969]; [Larsen, 
2008] 
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The difference in the AS-501 and AS-502 vehicles was very minimal. The changes 
were small changes in the Apollo elements in order to better simulate their mass and 
dynamic characteristics. The changes were a shift in the mass of about 2,000 pounds in 
Service Module and Landing Module and 200 pounds added to the Launch Escape System 
(LEM) and 600 pounds added to the Command Module (CM). The mass change out of a 
liftoff mass of 6,000,000 pounds was a total of 900 pounds. This change on the front end of 
the vehicle increased the modal gain of the first longitudinal vibration mode about 30% and 
changed its frequency about 5%, causing it to couple with the LOX line mode. This caused 
the system to tune up and go unstable. Figure 24-3 shows the modal gain change, the 
frequency change and the coupling of the two modes near Sl-C stage burnout. 



Figure 24-3. Comparison of Si-C Longitudinai Dynamic Characteristics 


The fix was fairly simple and easily Implemented, Including a pogo accumulator around a 
prevalve (Figure 24-4). The accumulator detuned the LOX line from the first longitudinal line 
and the Sl-C stage did not experience any pogo on the remaining flights. It truly Is amazing 
that that such a small mass change on the front end of the vehicle that weighed 6 million 
pounds at liftoff could have such a large change on the dynamics of a vehicle the size of 
Saturn V. [Ryan, et. al., January 20-23, 1969] 


199 


Saturn V First Stage Pogo 



Figure 24-4. S-IC Pogo Accumulator 


Saturn S-ll Pogo 

The S-ll stage had shown on basically every flight some small coupled oscillations that 
were indicators of the pogo phenomenon. Most of these occurrences were a ballooning and 
decaying crossbeam acceleration at approximately a 12 Hz longitudinal mode, which was 
occurring during the whole burn of the S-ll stage. They were of small amplitude except 
during the last 60 seconds of burn. There was a pogo working group that was composed of 
engineers from all the NASA centers, academia and industry who were working on the 
problem. It was decided that because the large amplitude was occurring the last 60 seconds 
of S-ll burn, the center engine of the S-ll stage would be shut down at that point and the other 
four engines burned longer so as not to have performance loss. Figure 24-5 is a composite of 
data from several S-ll stage flights. 
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Figure 24-5. Pogo Occurrences on S-ll Stage Burns 


The center engine was the main contributor to the coupled oscillation as it had a 
strong coupling with the thrust frame participation in the longitudinal vehicle mode. In 
addition to the planned early shut down of the center engine, a “g” cutoff system was added 
to the gimbal area of the center engine as insurance to prevent vehicle failure. It was obvious 
that the engineering community did not fully understand the sensitivities and characteristics of 
this system, for on Apollo 13 around 120 seconds into S-ll stage burn a large pogo oscillation 
occurred, shutting down the center engine due to excessive engine pump pressures. In 
reality the oscillation of the thrust frame/engine gimbal point reached 34 g’s and probably 
yielded the thrust frame. This oscillation is seen on Figure 24-5. The fix was putting a pogo 
accumulator at the end of the LOX line, detuning the system and solving the problem. [Ryan, 
et.al., December 1970] 

External Tank Insulation Blowing Agent 

The Shuttle External Tank (ET) is insulated on the outside skin by blowing insulation 
onto the tank as it rotates within a fixture. Blowing agents used in the past do not meet 
current ERA requirements, necessitating a change to an environmentally-friendly blowing 
agent. Any change like this, and in particular one that influences such a large area must be 
recertified. It is standard practice to verify these kinds of systems by testing at the corners of 
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the environments boxes. In this case the environmental variables were pressure, temperature 
and flow conditions. When the tests were completed no difference in the response of the 
insulation was noted and the system was flown. Cameras were installed to see what would 
happen in flight and the insulation on the intertank was caught in a massive pop-corning of 
the insulation as the high temperature and low pressure condition were experienced. The old 
insulation had not shown this effect. The problem was worked extensively by a special team 
and in that process someone said that maybe the test should be run at nominal conditions 
and not in the corners of the environment combinations. When this was done the insulation 
pop-corned as it did in flight. It was found that when testing at the corners of the combined 
environments box that the extreme environments were venting the trapped blowing agent 
gases and there was no pop-corning but that when you tested at nominal environments the 
only way the insulation could vent the trapped blowing gas was to blow off small pieces of 
insulation. The message is twofold in that (1) no change is small, and (2) certification must be 
performed at all environmental combination levels. The fix was to punch small holes in the 
insulation after it was blown on so that it would have vent capability. Since that fix has been 
implemented there is been very little pop-corning of interstage insulation. Figure 24-6 shows 
a flight photo where half of the area had the small holes punched and had no pop-corning, 
whereas the other half without the fix did show pop-corning. 



Figure 24-6. ET Intertank Insulation With and Without Pop-corning Fix 


® A key message from Lesson 24 is: 

Don’t make unnecessary changes. 

- Better can be the enemy of good 
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- Be very careful if a change is required 
- Understand system interactions 

Verify the system with changes before flying. 


Lesson 25: Expect the Unexpected 

® Expect the unexpected -- Things are never exactly what they seem. 

Ambiguity is ever present in aerospace systems. Many things are basically 
unpredictable due to the immense complexity of the systems and many unexpected things 
happen. The unexpected events take many forms, from human, to nature, to the physics of 
the system we are dealing with. The nature of design and operations of space systems 
means that we must constantly be on the watch for signs and characteristics of these 
unexpected events. 

Example: 

Woodpeckers on the ET Ogive 

Only one example is used to illustrate these occurrences - the presence of a 
woodpecker pecking holes in the LOX tank ogive insulation while the vehicle Is sitting on the 
launch pad (Figure 25-1). The vehicle had to be moved back to the VAB to repair the holes, 
and means of keeping woodpeckers away were implemented. “Evil-eye” balloon scarecrows 
and owl decoys were placed near the launch pad. 

Woodpeckers on the ET ogive 




Resulting holes 


Countermeasures: Evil Eye 
balloons and owls 



At the launch pad before STS-70, woodpeckers dug about 6 
dozen holes in the ET insuiation. The vehicle had to be rolled 
back to the VAB for repairs. 

Figure 25-1. Woodpeckers on the ET Ogive 
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Expect the Unexpected! 


® A key message from Lesson 25 is: 

Design and operations of space systems require that you constancy must deai 
with ambiguity and the unexpected. This requires a constant focus on iooking 
for the ambiguities and the unexpected. 


Principle IX: Leadership is the Foundation 

We started this report with the principle of the primacy of people. We are returning to 
this basic area with the principle that “Leadership is Foundational”. In any engineering 
organization two key tasks to success are management and leadership. Both are necessary 
and important; however, leadership creates the vision that sets the sails of the organization. 
Without leadership any organization will eventually fail since there is no clear path of where it 
is going. There are several aspects of leadership but only two will be discussed: integrity, and 
focus beyond yourseif. 

26. Integrity 

27. Focus beyond yourself 


Lesson 26: Integrity 


® Sing your own "Music" 

® integrity is matching what you do and how you do it with what's inside you. 

"Your Calling" 

There are many facets or dimensions to integrity that are important to leadership. One 
that is pivotal is the match of what you are inside with what you say and do. It is of major 
importance that you are doing what is you, what is your way? Until you are working your 
inner calling the outward and inner are disconnected. The song “I Did It My Way” conveys 
some of what is meant here. Until what you are inside is what you are outside, leadership will 
have problems of trust by the organization. There are many examples of the application of 
this principle. George McDonough used to say about engineer’s writings, “As long as they 
are technically correct and get the message across, don’t get hung up on the style.” 

Example: 

Floyd Briscoe: “You must coach it your way. You can’t coach my way.” 

When Robert Ryan was coaching basketball in his second year as coach he got as a 
principal a former successful coach. The principal told him, “Coach, I will come to your 
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practices and help ‘you’ train the team.” After one week of trying to help in the gym, he called 
Robert into his office and said, “Coach, it won’t work having me in the gym to help. You have 
a different style and the boys can’t learn two styles. They need one leader and one system. I 
will stay in the office and we can have discussions where I can pass on to you what I know. I 
will try to adapt what I know to your system. You must coach it your way, not mine.” Did his 
approach work? Yes, in Robert’s second year of working with him the team won the 
Alabama Class “A” 8'^ District and State basketball tournaments. The next year the team 
won the Alabama Class “A” 8'^ District and 2'^'^ place State basketball championships. 

The other aspects of integrity are very important as well. If leadership is to be successful 
then all the aspects of integrity must be engaged. 

® A key message from Lesson 26 is: 

Without integrity, what you do and say is meaningiess. 


Lesson 27: Focus Beyond Yourself 

® You must focus beyond yourself, beyond the immediate. It’s Being versus 
Having . 

The tendency of individuals in an organization is to focus on their own interests and 
work areas and ignore other considerations. Everything we do in organizations is a system 
and what each individual does affects the total system. Because of these interactions it is 
imperative that we focus beyond ourselves and not build silos around our work and our self. 
One principle Bob Ryan learned from a professor at Vanderbilt-Peabody University was 
stated in the following way. “Each has a choice between focusing their life on having or 
being. The having iocus is social In nature emphasizing what one can get, whether it be 
recognition, money or position. Being is spiritual in nature and focuses on what one can 
become. It deals with what you are and how you contribute meaning to the organization, the 
individuals and society.” This requires that we not only perform our tasks in an excellent 
manner, but also focus on the whole. As Stephen Covey says in his book. The Eighth Habit, 
“Find your own voice, help others find their voice.” 

Example: 

Building Silos 

Eighty percent of problems occur due to a breakdown in the system, not in the 
individual discipline. However, we sometimes get so wrapped up in our discipline work that 
we fail to see the whole picture. Even worse, we often build protective “silos” around our turf. 
We must focus on the whole system so that we can see the interactions. 
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® A key message from Lesson 27 is: 

“Everything acts as a system; nothing acts independentiy. it is a whoie where aii the 
parts interact, many times in unexpected and unpredicted ways." - Jim, Bob, Luke 

“Systems engineering is one engineer" - Max Faget 


SUMMARY 


This completes a study of Lessons Learned in Engineering. The lessons derived from 
the authors’ experience have been distilled into principles that should be applicable across all 
technical areas. The principles and lessons are only important if applied. The key issue we 
face is the application of these principles and lessons to engineering organizations as well as 
their products. 

A related question asked by the Directors of Engineering at MSEC was: “How do we 
achieve excellence in engineering?” The authors’ approach to answering this broader 
question was a short course on Excellence in Engineering which is documented in a future 
NASA CR titled Excelience in Engineering. 


We started this report with a set of nine generic principles based on 27 lessons 
derived from our experiences in space flight systems. These principles and 
corollaries are repeated below. 

Lessons Learned Principles 

I. System success depends on the creativity, judgment, and decision-making 
skills of the people 

- People are our most important resource 

II. Space systems are challenging, high performance systems 

- High energy, high power density 

- Therefore, high sensitivity 

III. Everything acts as a system (whole) 

- We design by compartmentalization and reintegration 

- Understanding interfaces and interactions is crucial 

- Requires pervasive communications 

IV. The system is governed by the laws of physics 

- Reality can’t be ignored 

- Look to the real performance of the hardware and software 
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V. Robust design is based on our understanding of sensitivities, uncertainties, 
and margins 

- Must consider sensitivities, uncertainties, margins, risks 

- Aim for robustness 

VI. Project success is determined by life cycle considerations 

- Program constraints can result in a non-optimal design 

- Requirements can drive the design in unexpected ways 

- Early phases of project most influential on design 

- Design must consider full life cycle Including 
manufacturing, verification, and operations 

VII. Testing and verification have an essential role in development 

- We understand by testing 

- Must know limitations 

VIII. Anticipating and surfacing problems must be encouraged 

- Critical thinking 

- Think out of the box 

- Listen 

IX. Leadership is the foundation 

- Integrity 

- Outward focused 

- People centered 
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